Name and contact details of the Data Controller
The Data Controller is Angelini Holding SpA, with registered office in Viale Amelia 70-00181 Rome.
Contact details of the Data Protection Officer («DPO»)
The DPO appointed by the Company can be contacted at the following addresses:
— email: email@example.com;
— post: Angelini Holding SpA – Viale Amelia 70 — 00181 Rome.
Which data we process
Why and how do we process your personal information?
With the user’s consent, the Company may process the user’s common personal data to allow the use of services and features found on the Site and to optimise its functioning, to obtain statistics on visits, to manage requests and reports received through the Site, for registration to any reserved areas or initiatives such as competitions and the like, pursuant to Article 6.1. (a) of the Regulation. The Company may also process the user’s personal data to fulfil obligations deriving from laws, regulations, EU legislation: the legal basis for the processing for this purpose is Article 6.1 (c) of the Regulation.
With the user’s optional consent, the common data may also be used for the purpose of corporate communications (including newsletters) or promotional activities (marketing), i.e. sending promotional material and/or commercial communications relating to the Company’s services, at the indicated addresses, both through traditional methods and/or means of contact (such as paper-based post, telephone calls with an operator, etc.) and automated means (such as communication via internet, fax, email, SMS, applications for mobile devices such as smartphones and tablet — so-called apps — social network accounts — e.g. via Facebook — etc.). The legal basis of the processing for this purpose is Article 6.1. (a) of the Regulation.
Finally, the user’s common and/or sensitive personal data can be processed by the Company to protect its rights in court or to apply the Angelini Group Code of Conduct (Articles 6.1. (f) and 9.2. (f) of the Regulation).
The processing of personal data takes place through automated and non-automated tools, with rationale strictly related to the purposes of the processing and, in any case, with methods and procedures suitable to guarantee the data’s security and confidentiality.
Necessary processing and optional processing
The forms to fill out on this Site may include both data that is strictly necessary to manage communication and user requests, marked with the symbol [*], which if not indicated does not allow these requests to be followed up, and optionally provided data which is not strictly necessary to fulfil data subjects’ requests. Failure to provide the latter will not entail any consequence.
Links to other sites
How we store data and for how long
In accordance with the provisions of Article 5.1 (c) of the Regulation, the information systems and computer programs used by the Company are configured so as to minimise the use of personal and identifying data; this data is processed only to the extent necessary to achieve the purposes indicated in this Policy; the data will be kept for the period of time strictly necessary to achieve the objectives actually pursued and in any case, the criterion used to determine the retention period is based on compliance with the terms allowed by the applicable laws and the principles of minimisation of processing, limitation of storage and rational management of archives. In order to determine the appropriate period for retaining personal data stored by the site with the user’s consent, the data controller also takes the following criteria into consideration: the specific purposes specified in the statement for which the site stores personal information; the current type of relationship with the user (how often the user accesses their account; whether the user makes requests via contact forms; whether the user continues to receive newsletters or commercial communications; how regularly they browse the site, etc.); any specific user request for deletion of their data or withdrawal of consent; the data controller’s legitimate commercial interest.
How we ensure the security and quality of personal data
The Company undertakes to protect the security of the user’s personal data and complies with the security provisions required by the applicable legislation in order to avoid loss of data, illegitimate or illegal use of data and unauthorised access to it, with particular but non-exclusive reference to Articles 25-32 of the Regulation. The Company uses multiple advanced security technologies and procedures to promote the protection of users’ personal data; for example, personal data is stored on secure servers located in places with protected and controlled access. The user can help the Company update and maintain their personal data by communicating any change concerning their address, their qualification, contact information, etc.
Who can access the data
Personal data will be made accessible only to those within the Company, and to companies that are parent companies, affiliates or subsidiaries of the Angelini Group, and need it due to their corporate role or duties. These parties, which will be as limited as possible in number, will be appropriately trained to avoid loss, destruction, unauthorised access or unauthorised processing of the data.
Furthermore, the data can be communicated to: (i) institutions, authorities and public bodies for their institutional purposes; (ii) professionals and independent collaborators, including in associated form; third parties and suppliers which the Data Controller uses to provide commercial, professional and technical services functional to the Site’s management and related functions (e.g. IT service providers and Cloud Computing), to pursuing the purposes specified above and to the services requested by the user; (iii) third parties in the event of mergers, acquisitions, sale of a company or business branch, audit or other extraordinary operations; (iv) the company’s Supervisory Body, domiciled at the Data Controller, for the purpose of pursuing its supervisory activities and applying the Angelini Group Code of Conduct. These parties will only receive the data necessary for their relative functions and will undertake to use it only for the purposes indicated above and process it in compliance with the applicable privacy legislation. The data may also be communicated to legitimate recipients pursuant to the applicable legislation. Except for the foregoing, the data is not shared with third parties, natural or legal persons, who do not perform any commercial, professional or technical function for the Data Controller, and will not be disclosed. The parties that receive the data process it as Data Controllers, Data Processors or parties authorised to process it, according to the case, for the purposes indicated above and in compliance with the applicable privacy law.
Data transfer to non-EU countries
Regarding the possible transfer of data to third countries, including countries that may not guarantee the same level of protection required by applicable legislation, the Data Controller states that the processing will in all cases take place according to one of the methods allowed by the Regulation, such as the user’s consent, the adoption of Standard Clauses approved by the European Commission, the selection of parties adhering to international programmes for free circulation of data, (e.g. EU-USA Privacy Shield) or operating in countries considered safe by the European Commission .
The users to whom the personal data refers have the right at any time to obtain confirmation of the existence of that data and to know its content and origin, verify its accuracy or request its supplementation or updating, or rectification, erasure or limitation, or to oppose its processing, or to lodge a complaint with the supervisory authority pursuant to Article 15 of the Regulation. Furthermore, pursuant to Articles 7,15,16, 17, 18, 19, 20, 21, 22 and 77 of the same Regulation, each user has the right to request information on the collection and use of their personal data, to access it, to obtain its correction, erasure (the right to be forgotten), limitation of processing, notification in the event of rectification or erasure of personal data or limitation of the processing, portability of data, transformation into anonymous form or blocking of data processed in violation of the law , as well as to object in any case, in the cases provided for by law, to its processing, to submit complaints relating to the collection and processing of personal information to the competent Data Protection Authority, to revoke consent to the processing of personal data at any time save the lawfulness of the processing carried out up to that time on the basis of the revoked consent.
For any request regarding the Company’s processing of personal data, to exercise the rights recognised by the applicable legislation, as well as to know the updated list of parties which can access the data, the user can contact the Data Controller and/or the DPO at the addresses indicated above.