NOTICE: PROCESSING OF PERSONAL DATA
(CUSTOMERS AND SUPPLIERS)
The present Notice relates to the processing of data by Vezio Srl Società Agricola, of Milano Via Vigevano, 41, telephone number 02.58190940 or 0341.815041, email address email@example.com, fax number 02.58190932 (“the Data Controller”), and is issued in accordance with the European General Data Protection Regulation EU 2016/679 (“the GDPR”).
The Data Controller may process personal data relating to customers, suppliers, agents and consultants, whether they are concerned as contractants and/or otherwise, as defined in current applicable laws and regulations on personal data.
1. Data Controller’s identity and contact details
The Data Controller is Vezio Srl Società Agricola, in the person of its incumbent CEO.
As the Data Controller is established in Italy no representative has been appointed.
2. Contact details of the Data Protection Officer
The Data Controller has not appointed a Data Protection Officer.
3. Third parties’ data
Whenever the customer, supplier, agent and/or consultant needs to disclose to the Data Controller the personal data of third parties, its own employees and/or other staff for the purposes of the execution of the contract, that customer or supplier must tell the third party of this, and must provide him/her with the present Notice.
4. Purpose(s) and legal basis of the processing
The personal data will be processed for the following purposes:
- for contractual purposes and/or those connected with the taking of steps at your specific request before a contract is signed, and also for the purpose of complying with any legal obligations connected therewith. In such cases the legal basis is the need to process the data in order to execute the contract and/or manage the pre-contract dealings between us;
- to send direct marketing communications, newsletters and advertising material by means of traditional and automated (computerized) contact systems, including commercial or promotional communications by email or SMS, or for market research and analysis. In this case the legal basis is your consent as expressed in accordance with the present Notice;
- for determining habits and preferences by means of profiling. In this case the legal basis is the consent of the person concerned (“the Data Subject”), expressed in accordance with the present Notice;
- for purposes connected with relevant legal obligations when data have been processed for the purposes set out in (a) above. In this case the legal basis is the Data Controller’s legal obligation to process such personal data in accordance with applicable national laws and regulations.
5. Manner of expressing consent
When required, consent may be expressed:
- by signing an electronic document, which may be done by ticking a special box;
- by signing a paper document.
6. Mode of processing; software
- in relation to personal data processed and stored for the purposes referred to in Section 4(a) (contractual and pre-contract purposes) or Section 4(d) (legal purposes) of this Notice, data will be processed by paper-based means or automated processes using CRM-type software enabling the performance of contractual obligations to be managed as well as possible;
- in relation to personal data processed for the purposes referred to in Section 4(b) of this Notice (marketing) the data will be processed by means of software for the automated sending of commercial information;
- personal data processed for the purposes referred to in Section 4(c) of this Notice (determining preferences) will be processed using CRM tools for establishing tastes and preferences with a view to offering personalized services and communications. For further details see the next Section;
- personal data processed and stored for the purposes referred to in Section 4(d) of this Notice (legal purposes) will be processed by paper-based means, automated processes and the use of CRM-type software.
7. Automated decision-making process; profiling
If you consent to the processing of your personal data for the purpose of benefiting from personalized services through profiling, those data may be subject to an automated decision-making process che uses a special algorithm to decide which communications are best suited to your profile or might be of most interest to you. Such processing may be expected to lead, for instance, to the sending of highly individualized sales messages, discount offers, invitations to events we think you would be interested in, etc.
You (the Data Subject) are entitled in any case to insist on human intervention in the Data Controller’s decision-making process, to express your opinion, to have an explanation of the decision made and to object to that decision.
8. Sources of the personal data
We shall process only data provided in accordance with this Notice and gathered at our premises or by email. Data processed for the purpose of making personalized services available through profiling may be correlated with other data to generate further profile information. Personal data from sources accessible to the public will not be processed.
9. Recipients of the personal data; categories (if any) of recipient
Recipients of the personal data may include the following:
- communication companies engaged in advertising and profiling activities on behalf of the Data Controller (where consent has been granted); such companies will be acting as Data Processors;
- companies which offer Information Society services, and those offering hosting services in particular;
- statistics and market survey companies (where consent has been granted);
- accounting audit firms;
10. Categories of data
Personal data will be processed. Under no circumstances will data belonging to the following categories be processed: particular [sensitive] data, for instance data that could reveal the state of health.
11. Transfer of data
The Data Controller intends to send the personal data to an international organization or an organization in a non-EU jurisdiction. Such organizations might include:
- communication companies engaged in advertising on behalf of the Data Controller;
- the communication company’s service provider(s);
- subsidiaries and/or parent companies.
Personal data will only be transferred to an international organization or an organization established in a non-EU jurisdiction if the European Commission has approved them, having verified that the country, territory or specific sector(s) within the non-EU jurisdiction, or the international organization in question, guarantees an adequate level of protection of the Data Subject’s rights. In any case the Data Controller reserves the right – whenever for any reason it sees fit – to make a specific separate agreement obliging the transferee to put in place adequate security measures (including organizational measures) designed to provide appropriate guarantees concerning those rights. The data may be transferred in this way to the following jurisdictions: United States of America. A copy of these details, or details of the place where such a copy can be consulted, may be obtained on request from the Data Controller, at the addresses given in this Notice.
12. Period for which the personal data will be kept
- Personal data processed and stored for the purposes referred to in Section 4(a) of this Notice (contractual and pre-contract purposes) are processed for a period in no case longer than ten years after the contract’s effects have ceased (if a contract is signed) or (in the case of mere pre-contract negotiations) for a period no longer than ten years after the end of negotiations;
- personal data processed for the purposes referred to in Section 4(b) of this Notice (marketing) are processed and stored until the Data Subject asks for them to be erased and/or consent is withdrawn;
- personal data processed for the purposes referred to in Section 4(c) of this Notice (determining preferences) are processed and stored for a period not longer than 24 months from the time when they were gathered;
- personal data processed and stored for the purposes referred to in Section 4(d) (compliance with legal obligations) are processed and stored for a period no longer than ten years after the contract’s effects have ceased (if a contract is signed) or (in the case of mere pre-contract negotiations) for a period no longer than ten years after the end of negotiations, unless, in either case, the law requires otherwise.
13. Optional nature of consent; consequences of refusing consent
- In relation to personal data processed and stored for the purposes referred to in Section 4(a) of this Notice (contractual and pre-contract purposes) the communication of personal data is a contractual obligation and a necessary precondition for the carrying on of pre-contract negotiations and for the concluding of the contract. The Data Subject has the option of providing or withholding these personal data; if they are withheld, however, it will not be possible to conclude any contract or carry on any contract negotiations;
- the communication of personal data processed for the purposes referred to in Section 4(b) of this Notice (marketing) is not a contractual obligation. Providing or withholding the personal data is optional; if they are withheld, however, it will not be possible to carry out any marketing activities;
- the communication of personal data processed for the purposes referred to in Section 4(c) of this Notice (determining preferences) is not a contractual obligation. Providing or withholding the personal data is optional; if they are withheld, however, it will not be possible to do any personalization;
- the communication of personal data processed for the purposes referred to in Section 4(d) of this Notice (legal obligations) is a legal obligation. Provision of the personal data in this case is mandatory, and if they are withheld it will not be possible to conclude the contract.
14. Right to object
The Data Subject has the following rights to object to processing of his/her personal data:
- the right to object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The Data Controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims;
- where personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing;
- where the Data Subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes. It should be pointed out that the Data Subject’s right to object to the processing of his or her personal data for these purposes may also be exercised in respect of just part of such processing; he/she may, for instance, object only to automated and/or digital sending of promotional communications, or to the sending of paper communications;
- where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, the Data Subject has the right to object, on grounds connected with his or her particular situation, to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
15. Other rights
The Data Controller also wishes to give notice of the following rights:
- Right of access: the Data Subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, to obtain access to the personal data and to certain specific information, in accordance with Art. 15 of the GDPR;
- Right to rectification: the Data Subject has the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement, in accordance with Art. 16 of the GDPR;
- Right to erasure of the data, including the right to withdraw consent: the Data Subject has the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay, and the Data Controller is obliged to erase personal data without undue delay or to withdraw his/her consent, where one of the grounds specified in Art. 17 of the GDPR applies. So far as the right to withdraw consent is concerned, the Data Subject also has the right to withdraw consent at any time but without prejudice to the lawfulness of any processing based on the consent provided which had been carried out before that consent was withdrawn;
- Right to restriction of processing: the Data Subject has the right to obtain restriction of processing from the Data Controller in any of the circumstances specified in Art. 18 of the GDPR;
- Right to data portability: the Data Subject has the right to receive the personal data concerning him or her which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, in those circumstances and under those conditions specified by Art. 20 of the GDPR;
- Contracting party’s right to object to sales messages: the contracting party has the right to object at any time, free of charge, to receiving sales messages.
16. Exercising your rights
The rights indicated in this Notice, including in particular the right to erasure and the right to withdraw consent provided previously, can be exercised by emailing the Data Controller directly at firstname.lastname@example.org or by sending a registered letter with recorded delivery to Via Vigevano, 41 – 20144 Milano.
17. Accessing the Notice
This Privacy Notice can be consulted at www.agriturismocastellodivezio.it, and also at the Data Controller’s premises. On special request the information can also be provided over the telephone (on condition the identity of the applicant has been duly established), by calling the Data Controller’s number.