IREG Form– Update Date 02/2024
Privacy Notice
Pursuant to Article 13 of EUROPEAN REGULATION No. 2016/679
Dear Data subject,
Idrobase Group Srl, as Data Controller, intends to inform you concerning the processing of your personal data,pursuant to Article 13 of European Regulation no. 2016/679 “General Data Protection Regulation (GDPR)” (hereinafter EU Regulation), laying down provisions with regard to the processing of personal data.
The regulation provides that, any person who performs the processing of personal data shall be required to, inform the data subjects on the data processed and qualifying elements of the processing, which, in any event, shall be carried out lawfully, fairly and in a transparent manner, as well as protect confidentiality and guarantee the rights of the data subjects.
It should be noted that, data processing means any operation or set of operations concerning collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, block, disclosure, dissemination, destruction of the data thereof.
1. Data Controller
The Data Controller is Idrobase Group Srl, with registered office in Via dell’Industria 25, 35010 Borgoricco (PD), tax code and VAT number 04604140287, that may be contacted by the following means: phone +39 049 9335903, e-mail: uff-amministrativo@idrobasegroup.com.
2. Nature of the data processed, Purposes and Legal basis of the processing
Nature of the data processed. In relation to the purposes of the processing below, we inform you that, only “common personal data” shall be processed, such as:
Purposes of the processing. Your personal data shall be processed for the following purposes:
Legal basis of the processing. For the purposes referred to in subsections 2A-2B and 2C, personal data shall be, respectively processed, for the purposes of a legitimate interest by the Data Controller (Article 6(1), point (f) EU Regulation), the performance of a contract to which the data subject is party, or in order to take steps, at the request of the data subject, prior to entering into a contract (Article 6(1), point (b) EU Regulation), compliance with a legal obligation to which the Data Controller is subject (Article 6(1), point (c) EU Regulation).
For the purposes referred to in subsections 2D of this notice, your personal data shall be, lawfully processed, only upon your specific, separate, express, documented, prior and completely optional consent (Article 6(1), point (a) EU Regulation).
You can withdraw your consent at any time, without affecting the lawfulness of processing based on consent given before its withdrawal (Article 7(3) EU Regulation).
Furthermore, we inform you that, the data subject shall have, pursuant to Article 21 of EU Regulation, the right to object, at any time, to processing of personal data, concerning him or her, carried out for direct marketing purposes (including profiling) and, where the data subject objects to processing, his or her personal data shall no longer be processed for such purposes.
Clarification: as the principle of utmost transparency towards the data subject is distinctive of our Company, we wish you to inform you that, where you decide to give consent to subsection 2D (marketing), you must be previously informed and aware that, the purposes of the processing pursued, are specifically of a commercial, advertising, promotional and marketing nature in general, such as:
3. Recipients of the data and Modalities of processing. Existence of automated decision-making, including profiling
The processing of your personal data shall be based on principles of lawfulness, fairness and transparency and may be carried out through paper and electronic equipment, both by the employees of the undersigned company, authorised/appointed to the processing of personal data, and external entities as Data Processors, required to carry out specific tasks on behalf of the Data Controller, pursuant to Article 28 of EU Regulation, prior our letter of appointment, which imposes on them the duty of confidentiality and security of the processing of personal data, and the adoption of suitable security measures to prevent data loss, unlawful and improper use and unauthorised access, in accordance with the existing provisions on personal data protection.
For the sake of brevity, the detailed list of such entities is available at the registered office of the Data Controller for your consultation.
Your personal data shall not be, disseminated and transferred to third countries or international organisations, disclosed to third parties except for legal and contractual obligations (it should be noted that, also the disclosure of data to the other company of the group, and precisely ALBA SRL, shall pertain to contractual obligations, being the activities of this essential for the fulfilment/performance of what requested by you).
In reference to what is provided for by Article 13 of the EU Regulation in paragraph 2, letter f) and Article 14 of the EU Regulation in paragraph 2, letter g), it is hereby notified that the Data Controller currently does not employ any automated decision-making system or process.
4. Periods of data storage
Your personal data shall be stored for no longer than is necessary for the purposes for which they are processed, in accordance with the principle of storage limitation provided for in EU Regulation, and/or for the period necessary for legal and contractual obligations or until the withdrawal of the specific consent by the data subject intervenes, and therefore:
As a guarantee of the stated storage periods, annual audits of the data processed and the possibility to erase those data if no longer necessary to the intended purposes are expected to be conducted.
5. Access to data (categories of recipients to whom the data may be disclosed)
We also inform you that, the data collected shall never be disseminated and subject to disclosure without your explicit consent, unless necessary disclosure which may result into the transfer of data to public authorities, consultants or other entities for compliance with tax and legal obligations or fulfilment of the purposes (where authorised), prior our letter of appointment which imposes on them the duty of confidentiality and security of the processing of personal data.
With reference to Article 13(1), point (e) of EU Regulation, there shall be the indication of entities or categories of entities, (duly identified and instructed) that, as data processors or appointees, may become aware of your personal data, and a special list by category is provided below:
Your personal data may also be disclosed to external entities to whom the practices concerning you are addressed in the fulfilment of the activities, and to external entities who interact with Idrobase Group Srl, always and only, for activities relating to the aforementioned purposes, external entities required to carry out specific tasks on behalf of the Data Controller as Data Processors, pursuant to Article 28 of EU Regulation.
For the sake of brevity, the detailed list of such entities is available at our office for your consultation.
6. and 7. Disclosure and transfer of the data
Without the need for express consent (Article 6(1), points (b), (c) and (f) of EU Regulation), the Data Controller may disclose your data for the purposes referred to in subsections 2A to 2F to oversight bodies, judicial authorities, as well as those entities to whom disclosure is required by law for the fulfilment of the aforementioned purposes.
Those entities shall process data in their capacity as independent data controllers.Your data shall not be disseminated.
To ensure the security of such transfers, we shall only engage entities providing the necessary safeguards to implement appropriate technical and organisational measures, in order that the processing is carried out in accordance with EU Regulation 2016/679.
In full compliance with the provisions of EU Regulation, the Data Controller has implemented appropriate technical and organisational measures to ensure a suitable level of security, both as regards the data on its equipment and any data at providers.
8. Consequences of failure to provide the data
Personal data referred to in subsections 2A-2B-2C of this notice shall be necessary, without which we would be unable to proceed to registration (creation of your personal account), comply with the contractual and legal obligations.
Personal data referred to in subsections 2D shall instead be optional. Failure to provide them shall not entail any consequence and shall not affect your request to proceed to registration, as well as comply with the contractual and legal obligations. Therefore, you may decide not to provide any data, or deny thereafter, at any time, the possibility to process data already provided.
9. Rights of the data subject
In your capacity as data subject, you shall have the rights referred to in Articles 15 to 22 of EU Regulation listed hereinafter, and precisely, you shall have the right to:
It should be noted that, there may be conditions or limitations to the rights of the data subject. Therefore, it shall not be certain that, for example, you have the right to data portability in all instances, which depends on the specific circumstances of the processing activities.
Another example: where you decide to object to data processing, the Data Controller shall have the right to evaluate your request, that may not be accepted in the event of the existence of legitimate cogent reasons for proceeding with processing, which override your interests, rights and freedoms.
10. Modalities for the exercise of the rights
You can exercise your rights at any time, without any special formality, in a clear and explicit manner, by sending:
- a registered letter with return receipt to the undersigned;
- an e-mail to uff-amministrativo@idrobasegroup.com.
Otherwise, by contacting the Data Controller directly at the phone number: +39 049 9335903.
11. Children
Anything provided by the Data Controller and subject to the existing relationship with you shall not include the intentional collection of personal information concerning children. Where information on children is unintentionally registered, the Data Controller shall, at the request of or following a report by the data subject, erase it without delay.
12. D.P.O. – Appointees/Authorised – Data Processors
Please find herewith below certain information that must be brought to your attention, not only to comply with legal obligations, but also because transparency and fairness towards the data subjects are a fundamental part of our business.
D.P.O. (Data Protection Officer). You may also contact the Data Protection Officer to receive information and submit requests regarding your data, or report disservices or any problem you may have encountered.The Data Controller has appointed Mr. Nicola Ghinello as Data Protection Officer, whom you may contact by the following mean: e-mail: nicola.ghinello@dpo-rpd.com.
Appointees/Authorised. The updated list of appointees/authorised in charge of the processing is available at the registered office of the Data Controller.
Data Processors.
For the sake of brevity, the detailed list of such entities is available at our registered office.