Privacy

PRIVACY STATEMENT FOR PERSONAL DATA PROCESSING

Pursuant to article 13 of the Regulation (EU) 2016/679 containing provisions on processing of personal data (hereinafter also only the “GDPR”), we inform you about how we process your personal data.

  1. Data Controller of Personal Data

The Data Controller of personal data is: SBI s.r.l. – Viale Forlanini, 38 – 20024 Garbagnate Milanese (MI), IT

1.1 Data Protection Officer (DPO)

You can contact the Data Protection Officer (DPO) at the following address:

SBI s.r.l. – Viale Forlanini, 38 – 20024 Garbagnate Milanese (MI)

email: DPO@sbitalia.com.

  1. Categories of Personal Data Processed

2.1. Personal Data Supplied Voluntarily by you

Your personal data provided by you directly will be processed as part of the processing of personal data.
Personal data means “any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” and relevant images (art. 4 par. 1 no. 1 of the GDPR).

2.2  Navigation Data

The computer systems and software procedures in charge of the website’s operation acquire, during their normal operation, some personal data, the transmission of which is implicit in the use of Internet communication protocols. This information is not collected in order to be associated to identified data subjects, but due to its same nature can allow users to be identified. This category includes the IP addresses or domain names of the computers used by the users to connect to the website, URI (Uniform Resource Identifier) form addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the reply given by the server (done, error, etc.) and other parameters concerning the user’s operating system and computer environment. This data is used with the sole purpose of obtaining anonymous statistical information on the use of the site and checking its correct operation. Moreover, this data can be used to ascertain responsibility in the case of hypothetical computer crimes to the detriment of the website.

  1. Purposes of Personal Data Processing

3.1. Purposes related to the Contractual Relationship between the Customer/Supplier and the Company.

The purposes related to the contractual relationship, where applicable, may involve the processing of master data to be entered in the business and administrative-accounting software for bookkeeping and treasury as well as invoicing activities (for example, invoice verification and registration) in compliance with the obligations and requirements provided for by current laws.

3.2 Marketing Purposes

Marketing purposes include:

  1. sending of sales and promotional materials about the Company services/products through automated (e.g. email) and traditional contact methods (e.g. phone calls by operator and traditional mail);
  2. customer satisfaction surveys, market research, profiling and statistical analyses;
  3. Legal Basis for Personal Data Processing

The legal basis for personal data processing for the purposes set out in paragraph 3.1 is the contract to which you are party in order to enable the delivery and management of the Services.

The legal basis for personal data processing for the purposes referred to in paragraph 3.2 is your specific consent.

The provision of your personal data for the aforementioned purpose is optional and failure to provide it could make it impossible to send you advertising and promotional materials and to carry out profiling and market research activities. The execution and management of the Services as contractually agreed remains however unaffected hereby.

Moreover, we point out that, in any case, if you have given your consent to pursue the purposes set out in paragraph 3.2, you will be free at any time to revoke it and/or to object to the processing of personal data for the purposes above by sending – without formalities – a clear written notice to the email addresses specified in more detail in paragraph 9 below “Rights of the Data Subject – Complaint to the Supervisory Authority”.

In particular, with regard to the exercise of your right of opposition for the above mentioned purposes, we inform you that where you have successfully exercised this right, it will  involve all electronic, automated and traditional contact methods, without prejudice to your right of opposition solely with regard to some channels of contact. For example, at any time, by contacting the Data Controller at the addresses specified in more detail in paragraph 9 below “Rights of the Data Subject – Complaint to the Supervisory Authority” you may object to the sending of promotional materials carried out through automated methods only (i.e. contact via email, sms, mms, etc.), thus giving your consent solely to the receipt of communications through traditional methods (i.e. paper-based mail or telephone call by operator).

Following the receipt of such request for revocation and/or opposition, SBI srl will promptly take action to execute the request and update the database.

  1. Methods of Personal Data Processing

Your personal data will be processed through manual, IT and telematic tools as well as in paper form.

  1. Recipients of Personal Data

Data may be disclosed to external Third Parties acting as Data Controllers, e.g. supervisory and control authorities and bodies and, in general, public or private subjects, entitled to request Data. Data may be processed on behalf of the Data Controller by external Third Parties designated as Data Processors, which carry out on behalf of the Data Controller specific activities, e.g. accounting, tax and insurance obligations, mail delivery, management of receipts and payments, etc…

6.1 Subjects Authorized to Process Personal Data

Data may be processed by employees of the company departments responsible for pursuing the aforementioned purposes, who have been expressly authorized to process it and who have received adequate operating instructions.

  1. Transfer of Personal Data to Countries outside the European Union

Your personal data and personal data of other subjects will not be transferred to countries outside the European Union.

  1. Retention Period of Personal Data

With regard to the processing purposes under paragraph 3.1, data collected will be stored for the entire duration of the contract and for no more than 10 years after the termination of the contract. In case of judicial litigation, for the entire length of the proceedings, until the deadline for bringing all available appeal actions has expired.

With regard to the processing purposes under paragraph 3.2, the period of data retention is 5 years.

Once the above mentioned retention period has expired, the Data will be destroyed or anonymised in accordance with technical deletion and backup procedures.

  1. Rights of the Data Subject – Complaint to the Supervisory Authority

By contacting the Data Controller by email at privacy@sbitalia.com, data subjects may ask the Company for access to their personal data, deletion of the data, correction of any inaccurate data, integration of incomplete data, deletion of data, restriction of the processing in the cases provided for in art. 18 of the GDPR as well as object, on legitimate grounds, to the processing carried out by the Data Controller.

Moreover, when the processing is based on consent or contract and is performed using automated means, data subjects are entitled to receive their data in a structured, commonly used and machine-readable format, and if technically feasible, to freely send it to another Data Controller.

Data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State where they normally reside or work or in the Member State where the alleged infringement has occurred.

Data subjects have the right to revoke the consent given at any time for marketing purposes and to object to the processing of the processed data for the same purposes. Nonetheless, if, with respect to the aforementioned purposes, data subjects wish to be contacted through traditional methods only, they may object to the receipt of communications through automated procedures only.

Update Date: May 17th, 2019