Information document article 13 of EU Reg. 2016/679 – GDPR
The statement is provided pursuant to art. 13 of EU Reg. 2016/679 (European Regulation for personal data protection) and is also based on the provisions of Directive 2002/58/EC, as updated by Directive 2009/136/EC, on the subject of Cookies as well as that which is provided for by the Provisions issued by the Italian Data Protection Authority relating to cookies.
The statement does not concern other sites, pages or online services that can be reached through any hypertext links involving external resources that may be published on the site.
• PERSONS INVOLVED IN DATA PROCESSING
Data Controller, pursuant to articles 4 and 24 of EU Reg. 2016/679 is NEVEPLAST S.r.l., with headquarters in Via Galvani 18 24061 Albano Sant’Alessandro (Bergamo) VAT No. 02627630169 – Email: firstname.lastname@example.org – Certified email address: email@example.com – telephone (+39) 035 4536661.
The Data Supervisor can be contacted at the following address: Nuova CPA S.r.l. – Via Callagagno No. 6, 24015 San Giovanni Bianco (Bergamo), e-mail: firstname.lastname@example.org.
• CATEGORIES OF DATA COLLECTED AND PURPOSE
During normal operation, the computer systems and software procedures used to operate our site acquire certain personal data whose transmission is implicit in the use of Internet communication protocols. The information is not collected in order to be associated with identified data subjects, but by their very nature could – through processing and association with data held by third parties – allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users accessing the site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment.
The data is used only to obtain anonymous statistical information on the use of the site and to check its correct functioning. The data could also be used to ascertain responsibility in the hypothetical event of computer crimes committed against the site (legitimate interests of the Data Controller).
DATA SUBMITTED BY THE USER
The optional, explicit and voluntary sending of messages to the contact addresses found on the site, as well as the compilation and forwarding of any forms present, involve the acquisition of the sender’s contact details, as well as all the personal data included in the communications.
The data collected will be used for the following purposes:
• to respond to specific user requests
• to allow Data Subjects to subscribe to the newsletter containing daily news, product/service proposals and other commercial information;
• for market and statistical surveys, marketing and references on advertising communications, preferences on products and services, etc.
COOKIES AND OTHER TRACKING SYSTEMS
Cookies represent data created by a server that is stored in text files on your computer’s hard disk and allow the website to function, the use of a specific function expressly requested by the user or improvements in the way the site functions, such as cookies that make browsing faster or that show content of greater interest to the user based on previous choices. Cookies can be permanent (so-called persistent cookies), but they can also be of limited duration (so-called session cookies).
• METHOD OF DATA PROCESSING AND COLLECTION
Please note that the data collected will be processed using paper (registration forms, order forms, etc.), IT (management, accounting, etc. software) and telematics with organisational and processing logic that is strictly related to the stated purposes and, in any event, in such a way as to guarantee the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures required by current regulations.
• RECIPIENTS OR CATEGORIES OF RECIPIENTS OF DATA
The personal data provided may be communicated to recipients appointed pursuant to art. 28 of EU Reg. 2016/679 that will process the data as Data Supervisors and/or as natural persons acting under the authority of the Data Controller and Data Supervisor, in order to comply with contracts or related purposes.
Specifically, data may be communicated to recipients belonging to the following categories:
• entities that provide services for the management of NEVEPLAST S.r.l.’s information system and communication networks;
• subjects that provide services for data storage using cloud storage on behalf of NEVEPLAST S.r.l.,
• studies or companies in the context of assistance and consultancy relationships;
• competent authorities for the fulfilment of legal obligations and/or provisions of public bodies, upon request.
We require all third parties to respect the security of the Data Subject’s personal data and to manage it in accordance with current legislation. We do not allow third party service providers to use the Data Subject’s personal data for their own specific purposes and only allow them to process the Data Subject’s personal data for the purposes specified and in accordance with our instructions.
The list of designated Data Supervisors is continuously updated and available at NEVEPLAST S.r.l.’s office,
• TRANSFER OF DATA TO A THIRD COUNTRY AND/OR INTERNATIONAL ORGANISATIONS
Without prejudice to communications made in compliance with legal and contractual obligations, all data collected and processed may be communicated in Italy and transferred abroad to states that are part of the European Union exclusively for the purposes and to the recipients specified above.
Some of your personal data may be communicated to other entities, based in non-European Third Countries. If the specified third country has yet to receive an adequacy decision from the European Commission in the event of a transfer pursuant to articles 46, 47 and 49(2) of EU Reg. 2016/679, the Data Controller reserves the right to include a clause in the contract stipulated with the foreign entity which specifies the data processing methods for its users, in accordance with the principles established in EU Reg. 2016/679.
• RETENTION PERIOD AND CRITERIA
In compliance with the provisions of art. 5(1)(e) of EU Reg. 2016/679 the personal data collected will be stored in a form that allows the identification of the Data Subjects for a period of time not exceeding the achievement of the purposes for which the personal data is processed.
In relation to the various types of processing performed, NEVEPLAST S.r.l. may store your data:
• for the purposes related to compliance with any legal obligations, hence we shall store your data for the time required by current legislation.
• to send you our newsletter, hence we shall store your data until you elect to withdraw your consent.
• LEGAL BASIS
We process your personal data based on various legal bases depending on the specific purpose of using the data, as well as expressed consent (if required). In the event that the legal basis is rooted in consent, the Data Subject has the right to withdraw consent at any time.
Our decision-making process is not automated. We encourage users to ask us any questions they may have.
• NATURE OF THE PROVISION OF PERSONAL AND REFUSAL
The provision of personal data, for the purposes described in this information document, is necessary to improve specific functions and make use of the services offered to the Data Controller, for example to receive feedback on the request for information submitted. Failure to provide personal data may make it impossible to obtain the requested service or use the services offered by the site.
Please not that you have the right to withdraw your consent at any time.
• RIGHTS OF DATA SUBJECTS
You can assert your rights, as expressed in articles 15, 16, 17, 18, 20, 21 of EU Reg. 2016/679, by contacting the Data Controller (see Persons involved in data processing).
You have the right, at any time, to ask the Data Controller for access to your personal data, their rectification, deletion or to restrict their processing.
Furthermore, you have the right to oppose the processing of your data (including automated processing, e.g. profiling), as well as to the portability of your data, at any time.
Without prejudice to any other administrative or judicial appeals, if you believe that the processing of data related to you violates the provisions of EU Reg. 2016/679, pursuant to art. 15(f) of the aforementioned EU Reg. 2016/679, you have the right to lodge a complaint to the Data Protection Authority and, with reference to art. 6(1)(a) and art. 9(2)(a), have the right to withdraw your consent at any time.
In the case of a request for data portability, the Data Controller will provide you with personal data related to you, without prejudice to paragraphs 3 and 4 of art. 20 of EU Reg. 2016/679.
For more information, please refer to the text of the articles mentioned above:
a. Article 15 Right of access of the Data Subject
1. The interested party has the right to obtain confirmation as to whether processing of personal data relating to them is being carried out from the Data Controller and, in such an event, to obtain access to personal data and to the following information: a) the purposes of the processing; b) the categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if they are recipients in third countries or international organisations; d) where possible, the retention period of personal data or, if not possible, the criteria used to determine said period; e) the existence of the right of the Data Subject to request that the Data Controller should rectify or delete personal data or restrict the processing of personal data relating to them or to oppose its processing; f) the right to lodge a complaint with a supervisory authority; g) if the data is not collected from the Data Subject, all available information on their source; h) the existence of an automated decision-making process, including the profiling referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic used, as well as the importance and envisaged consequences of said processing for the Data Subject.
2. If personal data is transferred to a third country or an international organisation, the Data Subject has the right to be informed of the existence of suitable guarantees pursuant to article 46 relating to the transfer.
3. The Data Controller shall provide a copy of the personal data subjected to processing. In the event of further copies being requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Subject submits the request by electronic means, and unless otherwise indicated by the Data Subject, the information is provided in a commonly used electronic format.
4. The right to obtain a copy referred to in paragraph 3 must not affect the rights and freedoms of others.
b. Article 16 Right of rectification
1. The Data Subject has the right to have inaccurate personal data relating to them rectified by the Data Controller without undue delay. Taking into account the purposes of the processing, the Data Subject has the right to have their incomplete personal data completed, which could include providing a supplementary statement.
c. Article 17 Right to deletion
1. The Data Subject has the right to have personal data relating to them deleted by the Data Controller without undue delay and the Data Controller is under the obligation to delete personal data without undue delay, if one of the following reasons exists: a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed; b) the data subject withdraws the consent on which the processing is based in accordance with article 6(1)(a), or article 9(2)(a), and if there is no other legal basis for processing ; c) the Data Subject opposes processing pursuant to article 21(1) and there is no legitimate prevailing reason to proceed with processing, or they oppose processing pursuant to article 21(2); d) the personal data has been unlawfully processed; e) the personal data must be deleted in order to fulfil a legal obligation under EU law or the laws of a Member State to which the Data Controller is subject; f) the personal data has been collected in relation to the offer of services provided by the information company referred to in article 8(1).
2. If the Data Controller has disclosed personal data and is obliged to delete it pursuant to paragraph 1, then taking into account the technology available and costs of implementation, they shall take reasonable measures, including technical ones, to inform the Data Controllers who are processing personal data of the Data Subject’s request to delete any link, copy or reproduction of their personal data.
3. Paragraphs 1 and 2 do not apply if processing is necessary: a) to exercise the right to freedom of expression and information; b) to fulfil a legal obligation that requires processing envisaged by EU law or the laws of a Member State to which the Data Controller is subject or to perform an activity in the public interest or when the Data Controller performs an activity for which they are invested with public authority; c) for reasons of public interest in the public health sector in accordance with article 9(2)(h) and (i) and article 9(3); d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with article 89(1), to the extent that the right referred to in paragraph 1 risks rendering it impossible to achieve, or seriously affects the achievement of, the objectives of said processing; or e) to establish, exercise or defend a right in court.
d. Article 18 Right to restrict processing
1. The Data Subject has the right to make the Data Controller place restrictions on processing when one of the following situations occur: a) the Data Subject disputes the accuracy of their personal data, for the period required by the Data Controller to check the accuracy of said personal data; b) processing is unlawful and the Data Subject opposes the deletion of personal data and, instead, requests that its use be restricted; c) although the Data Controller no longer needs the personal data for the purposes of processing, it is necessary for the Data Subject to be able to ascertain, exercise or defend a right in court; d) the Data Subject has opposed processing pursuant to article 21(1), pending verification of the possible prevalence of the Data Controller’s legitimate reasons with respect to those of the Data Subject.
2. If processing is restricted pursuant to paragraph 1, said personal data shall be processed, except for storage, only with the consent of the Data Subject or for the verification, exercise or defence of a right in court or to protect the rights of another natural or legal person or for reasons of significant EU or Member State public interest.
3. The Data Subject who has obtained the processing restrictions pursuant to paragraph 1 shall be informed by the Data Controller before the restriction is withdrawn.
e. Article 20 Right to data portability
1. The Data Subject has the right to receive the personal data relating to them that has been provided to the Data Controller in a structured, commonly used format that is legible by an automatic device and has the right to transmit said data to another Data Controller without hindrance by the Data Controller to whom it was supplied if: a) processing is based on consent pursuant to article 6(1)(a) or article 9(2)(a) or on a contract pursuant to article 6(1)(b); and b) processing is performed by automated means.
2. In exercising their rights with respect to data portability pursuant to paragraph 1, the Data Subject has the right to the direct transmission of their personal data from one Data Controller to another, if technically feasible.
3. The exercise of the right referred to in paragraph 1 of this article is without prejudice to article 17. The right does not apply to the processing required for the performance of an activity of public interest or connected to the exercise of public authority with which the Data Controller is invested.
4. The right referred to in paragraph 1 must not affect the rights and freedoms of others.
f. Article 21 Right of opposition
1. The Data Subject has the right to oppose the processing of personal data relating to them at any time, for reasons related to their particular situation, pursuant to article 6(1)(e) or (f), including profiling on basis of these provisions. The Data Controller shall refrain from further processing personal data unless they demonstrate the existence of legitimate cogent reasons for processing that prevail over the interests, rights and freedoms of the Data Subject or for the verification, exercise or defence of a right in court.
2. If personal data is processed for direct marketing purposes, the Data Subject has the right to oppose the processing of personal data relating to them for said purposes at any time, including profiling to the extent to which it is connected to said direct marketing.
3. If the Data Subject opposes processing for direct marketing purposes, the personal data shall no longer be processed for said purposes.
4. The right referred to in paragraphs 1 and 2 is expressly brought to the attention of the Data Subject and is presented clearly and separately from any other information at the time of the first communication with the Data Subject at the latest.
5. In the context of the use of the information company services and without prejudice to Directive 2002/58/EC, the Data Subject may exercise their right to oppose by automated means using specific techniques.
6. If personal data is processed for scientific or historical research purposes or for statistical purposes pursuant to article 89(1), for reasons related to their particular situation, the Data Subject has the right to oppose the processing of personal data relating to them, except if processing is required to perform an activity in the public interest.
Last updated: November 2018