Privacy notice
Form: IF – Update Date 02/2024
Articles 13 and 14 EUROPEAN REGULATION No. 2016/679
Legislative Decree 2003/196, as amended by Legislative Decree 2018/101
Dear Provider,
The undersigned Idrobase Group Srl, with registered office in Via dell’Industria 25, 35010 Borgoricco (PD), tax code and VAT number 04604140287, as “Data Controller” informs you that, pursuant to Articles 13 and 14 of European Regulation no. 2016/679 (hereinafter “EU Regulation”), your data shall be processed as follows:
1. Subject-matter of the processing
The Data Controller informs you that, the personal identification data provided by you (such as name, surname, company name, address, phone, e-mail, bank and/or payment details, etc.), hereinafter referred to in “personal data” or even simply “data”, also acquired verbally, directly or through third parties, in relation to entering into a contract, may be subject to processing, in full compliance with the provisions of EU Regulation.
Data processing means any operation or set of operations concerning collection, recording, organization, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, block, disclosure, dissemination, destruction of the data thereof.
2. Nature of the data processed, Legal basis and Purposes of the processing
Nature of the data processed. In relation to the contractual relationship or all steps prior entering into a contract, only “common personal data” shall be processed, such as:
• personal details (name, surname, etc.), residence and/or domicile address and contact details (phone, mobile, e-mail);
• data relating to professional qualification and role in the company;
• bank details and/or aimed at the payment;
• etc.
Clarification: only exceptionally, special data (Article 9 EU Regulation) and judicial data (Article 10 EU Regulation) may be, prior appropriate notice and collection of consent, processed.
Purposes of the processing. Your personal data shall be processed for the following purposes:
A. performance of a contract to which the data subject is party or implementation of pre-contractual, contractual and tax measures adopted at the request of the data subject;
B. compliance with obligations provided by law, a regulation, Community legislation or an order by the authority (such as concerning money laundering) to which the Data Controller is subject;
C. compliance with civil, accounting, tax and public safety provisions, as well as administrative management of the relationship (invoicing, any document management, etc.) and requirements otherwise related to the performance of the contract with appointed professionals;
D. transmission of communications relating to events, exhibitions, etc. to which the data subject has subscribed and/or may participate;
E. statistical analysis, market research and quality assurance;
F. insurance management;
G. organization and management of events and meetings, including promotional initiatives;
H. to send you informative material, advertising, direct sale, commercial and promotional communications (marketing).
Legal basis of the processing.
For the purposes referred to in subsections 2A to 2F, your personal data shall be, respectively processed, for the purposes of a legitimate interest by the Data Controller (Article 6(1), point (f), considering (47), (48), (113) EU Regulation), the performance of a contract to which the data subject is party, or in order to take steps, at the request of the data subject, prior to entering into a contract (Article 6(1), point (b) EU Regulation), compliance with a legal obligation to which the Data Controller is subject (Article 6(1), point (c) EU Regulation).
For the purposes referred to in subsections 2G, 2H of this notice, your personal data shall be, lawfully processed, only upon your specific, separate, express, documented, prior and completely optional consent (Article 6(1), point (a) EU Regulation).
Where you decide to give consent to subsections 2G, 2H, you must be previously informed and aware that, the purposes of the processing pursued, are specifically of a commercial, advertising, promotional and marketing nature in general. With a view to absolute transparency, we therefore inform that, the data shall be collected and processed thereafter on the basis of specific consent:
1. to send advertising and informative material of a promotional nature (e.g. Newsletter);
2. to send commercial information; to make interactive business communications by paper, automated or electronic means and, in particular, via postal mail or e-mail, phone (e.g. calls, WhatsApp messages, SMS, MMS), fax and any other computer channel (e.g. websites, mobile app);
3. to send invitations to events, exhibitions and meetings for information and promotional purposes;
4. to send updates on promotional initiatives or technical news, for services, education or assistance and/or satisfaction surveys.
You can withdraw your consent at any time, without affecting the lawfulness of processing based on consent given before its withdrawal (Article 7(3) EU Regulation).
Furthermore, we inform you that, the data subject shall have, pursuant to Article 21 of EU Regulation, the right to object, at any time, to processing of personal data, concerning him or her, carried out for marketing purposes and, where the data subject objects to processing, his or her personal data shall no longer be processed for such purposes.
3. Modalities of processing
Existence of automated decision-making, including profiling
The processing of your personal data shall be performed by the operations referred to in Article 4(2) of EU Regulation, and precisely: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, destruction, block. Data processing shall be based on principles of lawfulness, fairness and transparency and may be carried out by manual, computer and telematic means, in paper and/or digital formats. Processing shall be carried out in a manner that ensures the security and the confidentiality of the data thereof.
The processing of your personal data shall be carried out through paper and electronic equipment, both by company employees, authorized to the processing of personal data, and external entities as Data Processors, required to carry out specific tasks on behalf of the Data Controller, pursuant to Article 28 EU Regulation, prior our letter of appointment, which imposes on them the duty of confidentiality and security of the processing of personal data, and the adoption of suitable security measures to prevent data loss, unlawful and improper use and unauthorized access, in accordance with the existing provisions on personal data protection.
For the sake of brevity, the detailed list of such entities is available at the registered office of the Data Controller for your consultation.
Your personal data shall not be, disseminated and transferred to third countries or international organizations, disclosed to third parties except for legal and contractual obligations (it should be noted that, also the disclosure of data to the other company of the group, and precisely ALBA SRL, shall pertain to contractual obligations, being the activities of this essential for the fulfillment/performance of what requested by you).
In reference to what is provided for by Article 13 of the EU Regulation in paragraph 2, letter f), it is hereby notified that the Data Controller currently does not employ any automated decision-making system or process.
4. Periods of data storage and other information
Processing shall be performed in an automated and/or manual form, in compliance with the provisions of Article 32 of EU Regulation regarding security measures, by entities specifically appointed and, in compliance with the provisions of Article 29 of the EU Regulation, as well as in accordance with the provisions set forth in Article 130 of Legislative Decree no. 2003/196, as amended by Legislative Decree no. 2018/101).
We point out that, in accordance with the principles of lawfulness, purpose limitation and data minimization, pursuant to Article 5 of EU Regulation, your personal data shall be, prior your free and explicit consent, stored for the period of time necessary for the purposes for which they are collected and processed, and/or for the period necessary for legal obligations or until the withdrawal of the specific consent by the data subject intervenes, and therefore:
-as regards as the purposes referred to in subsections 2A to 2F, data shall be stored for no longer than is strictly necessary for the fulfillment of legal and contractual obligations;
- as regards as the purposes referred to in subsections 2G, 2H, data processed for marketing purposes shall be stored by Idrobase Group Srl from when the data subject has given his or her consent until such consent is withdrawn. Where consent is withdrawn, the data shall no longer be processed for the aforementioned marketing purposes, but they may still be stored in order to handle any complaint and/or dispute. The period for which the data will be stored for marketing purposes envisaged by Idrobase Group Srl complies with local regulations, as well as provisions of the Italian Data Protection Authority (typically 24 months).
Further information regarding the period for which the data will be stored according to each data category is available at the company at the request of the data subject.
It should be noted that, in the absence of significant contacts for a period of ten years, or in the event of the exercise of the rights provided for in the Regulation (EU) by the data subject (e.g. right to erasure/be forgotten, restriction, etc.), there shall be the transfer of the personal data to a special encrypted digital and/or paper filing system (secured filing system), making those data solely accessible to the Data Controller, or they shall be destroyed without leaving any copy, unless different provisions laid down by existing law.
Annual audits of the data processed and the possibility to erase those data if no longer necessary to the intended purposes are expected to be conducted.
5. Access to data (categories of recipients to whom the data may be disclosed)
We also inform you that, the data collected shall never be disseminated and subject to disclosure without your explicit consent, unless necessary disclosure which may result into the transfer of data to public authorities, consultants or other entities for compliance with tax and legal obligations or fulfillment of primary and secondary purposes (where authorized), prior our letter of appointment, which imposes on them the duty of confidentiality and security of the processing of personal data.
With reference to Article 13(1), point (e) of EU Regulation, there shall be the indication of entities or categories of entities, (duly identified and instructed) that, as data processors or appointees, may become aware of your personal data, and a special list by category is provided below:
• Partners, employees and collaborators of the Data Controller in Italy and abroad in their capacity as appointees and/or internal data processors (e.g. commercial, technical, administrative, legal, press offices) and/or system administrators;
• Partner companies of and/or directly connected to Idrobase Group Srl in their capacity as data processors (without the activities of which the contractual obligations cannot be respected).
Your personal data may also be disclosed to external entities to whom the practices concerning you are addressed in the fulfillment of the activities better described above, and to external entities who interact with the undersigned, always and only, for activities relating to the aforementioned purposes, external entities required to carry out specific tasks on behalf of the Data Controller as Data Processors, pursuant to Article 28 of EU Regulation.
For the sake of brevity, the detailed list of such entities is available at our office for your consultation.
6. and 7. Disclosure and transfer of the data
Without the need for express consent (Article 6, paragraph 2 points (b), (c) and (f) of EU Regulation), the Data Controller may disclose your data for the purposes referred to in subsections 2A to 2F to oversight bodies, judicial authorities, as well as those entities to whom disclosure is required by law for the fulfillment of the aforementioned purposes.
Those entities shall process data in their capacity as independent data controllers.
Personal data shall be stored on equipment located at the registered office of the Data Controller or providers within the European Union.
Your data shall not be disseminated.
To ensure the security of such transfers, we shall only engage entities providing the necessary safeguards to implement appropriate technical and organizational measures, in order that the processing is carried out in accordance with EU Regulation 2016/679.
In full compliance with the provisions of EU Regulation, the Data Controller has implemented appropriate technical and organizational measures to ensure a suitable level of security, both as regards the data on its equipment and any data at providers.
8.Nature of the provision of data and consequences of failure to provide such data
The provision of data for the purposes referred to in subsections 2A to 2F of this notice shall be necessary to enter into a contract and for the proper fulfillment of the contract thereof. We inform you that, in the event of failure to provide such data or in the event of failure to authorize the processing for such purposes, our Company shall be unable to comply with the existing legal and contractual obligations with you.
In such a case, failure to provide the data shall result in the inability to establish or continue the contractual relationship within the limits of which such data are necessary for the correct fulfillment related to the performance of the contract.
The provision of data for the purposes referred to in subsections 2G, 2H of this notice shall instead be optional. Therefore, you may decide not to provide any data, or deny thereafter, at any time, the possibility to process data already provided: in such a case, you will be unable to receive newsletters, business communications and advertising material and/or other concerning the Services offered by the Data Controller.
You shall continue to be, in any event, entitled to the Services referred to in subsections 2A to 2F.
9. Rights of the data subject
In your capacity as data subject, you shall have the rights referred to in Articles 15 to 22 of EU Regulation listed hereinafter, and precisely, you shall have the right to:
- obtain confirmation as to whether or not personal data concerning him or her are being processed, as well as an (electronic) written copy of those data in a clear and intelligible form (so-called right to access);
- obtain the indications of the purpose of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed and, where possible, the period for which the personal data will be stored;
- obtain the rectification of the data concerning him or her (so-called right to rectification);
- obtain the erasure of the data concerning him or her (so-called right to be forgotten);
- obtain the restriction of processing (so-called right to restriction of processing);
- where the data are not collected from the data subject, obtain any available information as to their source;
- obtain data portability, namely receive data from a data controller, in a structured, commonly used and machine-readable format and transmit those data to another data controller without hindrance (so-called right to data portability);
- object to the processing at any time, including in the event of processing for direct marketing purposes (so-called right to object). We inform you that, specifically and separately, as required under Article 21 of EU Regulation, where personal data are processed for direct marketing purposes, the data subject shall have the right to object, at any time, to processing of personal data, concerning him or her, carried out for such purposes and, where the data subject objects to processing for direct marketing purposes, personal data shall no longer be processed for such purposes;
- object to automated decision-making relating to natural persons, including profiling;
- withdraw consent, at any time, without affecting the lawfulness of processing based on consent given before its withdrawal;
- lodge a complaint with a supervisory authority (Italian Data Protection Authority).
There may be conditions or limitations to the rights of the data subject. Therefore, it shall not be certain that, for example, you have the right to data portability in all instances, which depends on the specific circumstances of the processing activities.
10. Modalities for the exercise of the rights
You can exercise your rights at any time, by sending, without any special formality, a clear communication to that effect:
- a registered letter with return receipt to the undersigned (see the address in the letterhead);
- an e-mail to uff-amministrativo@idrobasegroup.com.
11. Children
Anything provided by the Data Controller and subject to the relationship with you shall not include the intentional collection of personal information concerning children. Where information on children was unintentionally registered, the Data Controller shall, at the request of the data subject, erase it without delay.
12. Personal data not obtained from the data subject
It may occur that, the undersigned is not the Data Controller to whom you have provided your personal data but results to be a joint controller of the processing or an external data processor and, therefore, your data may arrive at the undersigned as a second step because of a contract governing the parties. In such a case, it should be noted that, the undersigned will make every effort to ensure that you are informed and have given consent to processing. At any time, you can request the undersigned to provide the source of your data.
13. Data Controller, D.P.O., Appointees and Data Processors
Please find herewith below certain information that must be brought to your attention, not only to comply with legal obligations, but also because transparency and fairness towards our staff/collaborators are a fundamental part of our business.
Data Controller. The Data Controller of your personal data is Idrobase Group Srl, responsible to you for the legitimate and proper use thereof and, whom you may contact for any information or request to the following details: phone +39 049 9335903, e-mail: uff-amministrativo@idrobasegroup.com.
D.P.O. (Data Protection Officer). You may also contact the Data Protection Officer to receive information and submit requests regarding your data, or report disservices or any problem you may have encountered. The Data Controller has appointed Mr. Nicola Ghinello as Data Protection Officer, whom you may contact to the following details: phone +39 348 3165267, e-mail: nicola.ghinello@dpo-rpd.com.
Appointees. The updated list of the persons in charge of the processing is available at the registered office of the Data Controller.
Data Processors
For the sake of brevity, the detailed list of such entities is available at the registered office of the Data Controller for your consultation.
Data Controller
Idrobase Group Srl
Contact us
Idrobase Group Srl is pleased to receive comments regarding this privacy notice.
Please contact us at the following e-mail address: uff-amministrativo@idrobasegroup.com.