Policy issued pursuant to Articles 13–14 of the GDPR (General Data Protection Regulation) 2016/679
In compliance with the provisions of the European Regulation 2016/679 (GDPR), Pinti Inox SpA informs you that the personal data you have provided or which we have acquired as part of our business, being necessary for executing the services offered to you, shall be processed in compliance with the legislation on privacy and the principles of correctness, lawfulness, transparency and the protection of your privacy and your rights.
We also wish to provide you with the following information:
1. DATA CONTROLLER
The Data Controller is Pinti inox SpA, a company based in Sarezzo at Via Antonini 87, in the province of Brescia.
2. PROCESSED DATA, PURPOSE AND LEGAL BASIS OF THE PROCESSING
2.1. The electronic systems and software utilised to operate the institutional website of Pinti Inox SpA (www.pinti.it) acquire certain personal data as an implicit consequence of using IT protocols on the Internet (for example, domain names and IP addresses). Such data is not accompanied by any additional personal details and is utilised to obtain anonymous statistical information regarding use of the website, to monitor how the site is used and to ascertain any responsibility in the event of computer crimes. The legal basis that legitimises the processing of such data is the need to render the functionalities of the corporate website usable as a result of the User’s access.
2.2. The data provided voluntarily by the User is, rather, that pertaining to the submission of job applications or contact requests and is processed lawfully and fairly, along with being gathered and recorded exclusively for the purposes for which it is provided.
Personal data (being identification data such as, for example, name and surname, company name, tax code and VAT number, address, telephone/fax number, email address, bank account and payment details) are collated and processed:
- to liaise with the potential or existing customer or supplier;
- for administrative, fiscal or internal accounting purposes connected to the customer-supplier relationship and to fulfil the obligations generally established for Data Controllers by laws or regulations, by EU legislation, by requests from the judicial authorities or to exercise the rights of the Data Controller (for example, the right of defence in court);
- in the presence of specific distinct consent from the User, for the following marketing purposes: to send (via email, post, text message or telephone call) newsletters, updates on the activities of the Data Controller, advertising material or commercial communications on products or services offered by the Data Controller that the User may consider to be of interest and to detect the degree of satisfaction with the quality of services, including requests for participation in market analysis or research;
- in the event of a curriculum vitae being submitted, exclusively for the purpose of selecting personnel and for establishing an employment relationship.
- In the cases expressly indicated in Points “c” (marketing) and “d” (curriculum vitae), the legal basis is the consent freely given by the User.
2.3. Pursuant to Articles 9 and 10 of the GDPR, the User can share with the Data Controller data that can be qualified as “Special Categories of Personal Data” (being data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data and biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, a natural person’s sex life or sexual orientation). Such categories of data may be processed by the Data Controller only with the consent of the User, expressed in writing by signing this Policy, for contractual purposes and the relative fulfilment of legal and tax obligations as well as for personnel selection needs.
3. METHOD OF PROCESSING
The processing of a User’s personal data is conducted by means of the operations of: collection, registration, organisation, retention, consultation, processing, modification, selection, extraction, comparison, utilisation, interconnection, blocking, communication, erasure and destruction of data.
The User’s personal data is collated following the direct sending to the Data Controller through filling out forms or questionnaires in general created for such purpose, also included in contractual documentation or gathered over the telephone by an operator in the context of pre-contractual activities. The data is processed both manually in hardcopy format and via electronic or automated, computerised and telematic means. The collected data is recorded and retained by the Data Controller in computer and paper archives, as well as being retained and monitored in such a way as to minimise the risks of destruction or even accidental loss, unauthorised access and processing that is not permitted or does not comply with the purposes of the collection.
The data is processed by employees or collaborators of the Data Controller, duly instructed in this regard.
4. NATURE OF DATA COMMUNICATION
The provision of personal data relative to the processing is optional. However, a partial or total failure to provide the data may result in the partial or total impossibility of establishing or continuing the relationship with the User, to the extent that such data is necessary for the execution of the same.
The provision of data for marketing purposes is also optional. The User can thus decide not to provide any data or to subsequently deny the possibility of processing data provided prior. In this case, they will not be able to receive newsletters, sales communications or advertising material in general pertaining to the services offered by the Data Controller.
5. RECIPIENTS OR POSSIBLE CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA
The User’s data is processed by the Data Controller’s internal staff (employees, collaborators or system administrators), identified and authorised for such processing according to the instructions issued in compliance with current legislation on privacy and data security.
If this is necessary for the purposes listed in Article 2, the User’s personal data may be processed by third parties appointed as Data Processors (pursuant to Article 28 of the GDPR), or “autonomous” Data Controllers, and precisely:
- professionals, companies, associations or professional firms that provide the Data Controllers with assistance or advice for administrative, accounting, tax, legal protection or personnel selection purposes;
- any Public Institutions established by law and more generally by any Bodies envisaged under current accounting and tax legislation as recipients of mandatory communications;
- banks for collections and payments as well as by any professionals – in individual, associated or corporate form – for the management of payments via credit cards or electronic payment instruments in general, postal couriers, for any credit recovery or for certification of the Data Controller’s financial statements.
The updated list of data processors and persons in charge of processing is kept at the Data Controller’s registered office.
In any case, the User’s personal data is not subject to disclosure.
6. TRANSFER OF DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANISATION
As part of the management of the contractual relationship, no transfer of the User’s data to third countries outside the EU or to international organisations is envisaged.
7. PERSONAL DATA RETENTION PERIOD OR CRITERIA USED TO DETERMINE THIS PERIOD
The User’s personal data will be processed and stored by the Data Controller for the entire duration of the contractual relationship between the User and the Data Controller and, at the end of the same for any reason, will be retained for the period of time established for each category of data under current accounting, taxation, civil and procedural legislation.
For marketing purposes, the User’s personal data will be processed and retained by the Data Controller until the User’s consent is revoked or until the User’s right to object to the processing or the right to erasure of personal data is exercised.
For the purposes referred to under Point “e” (Curricula Vitae), the User’s personal data may be processed and retained by the Data Controller for a maximum of 12 months from the date of receipt.
8. USER RIGHTS
In your capacity as Data Subject and in relation to the processing described in this Policy, the User has the rights referred to in Articles 7, from 15 to 21 and 77 of the GDPR and, in particular, the:
- Right of Access – Article 15 of the GDPR: the right to obtain confirmation as to whether or not personal data concerning the User is being processed and, if it is, to obtain access to such personal data, including a copy of the same;
- Right to Rectification – Article 16 of the GDPR: the right to obtain, without undue delay, the correction of any inaccurate personal data concerning the User and/or the integration of incomplete personal data;
- Right to Erasure (Right to be Forgotten) – Article 17 of the GDPR: the right to obtain, without undue delay, the deletion of personal data concerning the User;
- Right to Restrict Processing – Article 18 of the GDPR: the right to obtain a limitation of processing, when: the Data Subject disputes the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of such data; the processing is unlawful and the Data Subject opposes the erasure of personal data and requests its use be limited instead; the personal data is necessary for the Data Subject to ascertain, exercise or defend a right in court; the Data Subject opposes the processing pursuant to Article 21 GDPR, during the period of waiting for the verification of the possible prevalence of legitimate reasons of the Data Controller with respect to those of the Data Subject;
- Right to Data Portability – Article 20 of the GDPR: the right to receive – in a format that is structured, commonly used and readable by an automatic device – the personal data concerning the User and provided to the Data Controller as well as the right to transmit the data to another Data Controller without impediments, whereby the processing is based on consent and is conducted via automated means. Furthermore, there exists the right to have the User’s personal data transmitted directly to another Data Controller whereby technically feasible;
- Right to Object – Article 21 of the GDPR: the right to object, at any time for reasons connected to your particular situation, to the processing of personal data concerning the User, based on the condition of lawfulness of the legitimate interest or execution of a task of interest public or the exercise of public authority, including profiling, except where there are legitimate reasons for the Data Controller to continue with processing that prevail over the interests, rights and freedoms of the Data Subject or for the determination, exercise or defence of a right in court. In addition is the right to object to processing at any time if the personal data is processed for direct marketing purposes, including profiling, to the extent that it is connected to such direct marketing;
- Right of Revocation – Article 7 of the GDPR: the User has the right to revoke their consent at any time. Such withdrawal does not affect the lawfulness of the processing based on consent prior to the revocation.
- Right to Lodge a Complaint – Article 77 of the GDPR: the User has the right to lodge a complaint with the Personal Data Protection Authority at Piazza di Montecitorio 121 – 00186, Rome (RM).
9. MEANS OF EXERCISING THE RIGHTS OF THE DATA SUBJECT
At any time, the User may exercise their rights by sending a registered letter with return receipt to: Pinti Inox S.p.A., Via Antonini 87 – 25068 Sarezzo (BS) or a certified email to the address firstname.lastname@example.org.