Latest update: 25/02/2020
PRIVACY NOTICE PURSUANT TO THE ARTICLE 13 OF THE EUROPEAN REGULATION 2016/6799
with regard to personal data processed trough this website
For us data protection is a very serious topic, for this reason we wish to provide you the information on how we process your personal data and on which kind of rights you can exercise having regard to the current data protection law, in particular the European Regulation 2016/679 (hereinafter also: “GDPR”).
Who is the Data Controller? Where can I reach the Data Controller?
- Data Controller
With regard to the data processing purpose below described at the point 2.b) (briefly advertising activities and/or promotional ones, and marketing activities in general) are Jointly Controllers*, pursuant to the Article 26 of the GDPR:
EB Rebosio S.r.l.
Sede legale Via Mercanti, 17, 25018, Montichiari BS; Sede operativa Via Carso, 49, 24040, Madone (BG);
Sede legale Via Mercanti, 17, 25018, Montichiari BS; Sede operativa: Via Italo Calvino, 6, 25018, Montichiari BS;
Resine Bonomi S.r.l.
Sede legale Via Mercanti, 17, 25018, Montichiari BS; Sede operativa Via Lodi,14, 26010, Bagnolo Cremasco (CR);
* The main content of the joint controllership agreement is available to the data subjects.
- Data Processing Purposes covered by the consent of the data subject (Article 6, paragrafh 1 (a) of the GDPR)
Personal data can be processed also to pursue specified purposes for which the data subject has given his/her consent.
- To answer to data subjects’questions, to respond to data subjects’ requests send to the contacts mentioned in the website or trough this website forms, even to receive information about our products, or services and purchases, to request our quotes, as well as to send you our quotes or the request of assistance;
- The performance of avdertising/promotional activities, in its wider sens (for example: sending of newsletter and information material, brochure sending, event organization, etc.) and other marketing activities, through automated contact methods of contact (for example: call without operator, email, sms, messagging systems, also instant ones and on internet, even to mobile phones)and not automated ones (sending of paper mail or call with operator) injoint controllership with the three above mentioned companies that act as joint controllers..
With regard to the data processing purposes of the present section, data retention is:
For the purpose: a, until the execution of the request of the data subject;
For the purpose: b, 24 months from the date when the data subject gave his/her consent.
- Categories of personal data processed
Data Controller mainly processes “personal data” (Article 4.1 of the GDPR).
In particular, the categories of personal data processed may be, just to give a not exhaustive example:
- Biographical Data and Identification ones (just to give a not exhaustive example: name, surname, etc.);
- Contact Data (address, e-mail address, IP address, mobile phone and similar data).
- Data related to the potential providing of services.
- Personal Data Recipients or categories of personal data Recipients (Article 13 paragrafh 1 (e) of the GDPR) *
In relation to the aforementioned purposes, data could be disclosed to:
- Offices and internal functions within the Data Controller’s company;
- Supervisory and Regulatory Bodies
- Companies belonging to Bonomi Group **, even different from the above mentioned Joint Controllers, in particular when it is necessary to execute data subjects’requests;
- Companies and professional operators that provide IT services, among which the data electronic processing, software and websites management and IT consultancy;
- Companies and other external subjects that provide that provides website maintenance Service;
- Companies and advertising and communication agencies;
- Mailing and hosting provider companies, postal carrier and companies that carry out bagging and material shipping activities and companies that carry out the documentation filing.
* The complete and updated list of Data Controllers, Data Processors and Data Recipients (Article 4.9 of the GDPR), is made available at Data Controller’s Offices.
** The complete and updated list of the Bonomi Group companies is available on the website at the page CONTACTS.
- Data recipients or categories of personal data recipients (Article 13 paragraph 1 (f) of the GDPR)* and transfer of personal data to third countries the Data Controller does not transfer his/her personal data to non-EU and EEA Countries to pursue the above mentioned data processing purposes.
However if it is necessary, in order to execute the request of the data subject, the Data Controller may transfer data subjects’personal data to countries not included in the EU and in the EEA, in particular to Brazil and Turkey, if the request concerns the services provided by one of the Bonomi Group companies located in one of the above mentioned countries. The European Commission*** has decided that the above mentioned countries do not ensure an adequate level of protection of personal data. Therefore, if we have to transfer his/her personal data outside the EU, we will adopt appropriate safeguards measures, in accordance with the applicable European law and the Italian one, in order to ensure that the data itselves are properly protected.
In particular, if it is necessary to execute his/her request, his/her data could be transferred to Brazil or Turkey, countries in which the companies of the Bonomi Group are located, in accordance with the Article 46 of the GDPR because the Data Controller has entered into the so-called Standard Contractual Clauses (SCC) with the above mentioned companies, in order to protect the transfer of these data.
In relation to personal data object of the above mentioned transfer to extra EU-EEA countries, the data subject can ask the Data Controller information on such data transfer, sending an email to the following email address:
* The complete and updated list of Data Controllers, Data Processors and Data Recipients (Art. 4.9 of the GDPR), is made available at Data Controller’s Offices.
*** The updated list of the countries, outside EEA, that European Commision considers ensure an adequate level of protection of personal data, is available on the following website: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
- Rights of Data Subjects
With reference to the personal data object of this privacy notice, the Data Subject can exercise the following rights provided by the GDPR:
- Right of access by the data subject [Article 15 of the GDPR] (the latter consists in the right to access information on whether or not his/her Personal Data are being processed and obtain a copy on request);
- Right to rectification [Article 16 of the GDPR]; (the Data Subject can obtain the rectification of his or her Personal Data which are inaccurate);
- Right to erasure without undue delay (“the right to be forgotten”) [Article 17 of the GDPR] (the Data Subject shall have the right to obtain the erasure of his or her Personal Data);
- Right to restriction of processing of Personal Data in the cases envisaged by the Article 18 of the of the GDPR, such as in the case of unlawful processing, or where the accuracy of the personal data is contested by the data subject [Article 18 of the GDPR];
- Right to data portability [Article 20 of the GDPR], the data subject shall have the right to receive the personal data concerning him or her in a structured format in order to transmit those data to another controller in the cases envisaged in the same Article;
- Right to object [art. 21 of the GDPR]; (the Data Subject shall have the right to object to the processing of his/her personal data in the cases envisaged in and regulated by art. 21 of the GDPR);
- Right not to be subject to a decision based solely on automated processing [art. 22 of the GDPR] (the data subject shall have the right not to be subject to a decision based solely on automated processing).
In relation to the data processing purposes, for which consent is required, the data subject can withdraw his/her consent at any time and the effects will be produced from the date of the consent withdrawal, except for the terms laid down by law. In general terms, the consent withdrawal produces effects only for the future.
The abovementioned rights can be exercised, as envisaged by the GDPR, sending an email to firstname.lastname@example.org or using the contact information indicated in the point 1 of this privacy notice.
Bonomi Eugenio S.p.A., in observance of Article 19 of the GDPR, shall communicate any rectification or erasure of personal data or restriction of processing requested to each recipient to whom the personal data have been disclosed, where possible.
In order to execute your request in a more quick way, as drafted in the exercise of the aforedescribed rights, the requests itselves could be addressed to the Data Controller using the contact information indicated in the point 1 of this privacy notice.
- Right to lodge a complaint (Article 13 paragrafh 2 (d) of the GDPR)
If the data subject considers that his or her rights have been compromised, he or she has the right to lodge a complaint with the Italian Data Protection Authority for the protection of personal data, following the procedure described by the Authority itself taking a look at the following link:
http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 or sending a written communication to the Italian Data Protection Authority, Address: Piazza Monte Citorio n.121, Postal Code: 00186 – Rome.
- Possible consequences of failure to provide data and the nature of data provision (Article 13 paragrafh 2 (e) of the GDPR)
8.1 In case of compliance with eventual legal obligation or contractual one
We underline that, if Data Processing purpose has a legal or a contractual obligation, as legal basis, (even also a pre-contractual obligation), the Data Subject is obliged to provide his/her personal data required by the Data Controller.
If not so, the Data Controller will be unable to pursue the specific Data Processing purpose.
8.2 In case of Data Subject’s Consent
We underline that the abovementioned purposes have the consent as legal basis and, with regard to these purposes itselves, the Data Subject can withdraw his/her consent at any time and the effects will be produced from the date of the consent withdrawal, except for the terms established by law. In general terms, the consent withdrawal produces effects only for the future. Therefore, the data processing that was pursued before the consent withdrawal will not be affected and will maintain its lawfulness.
The lack of consent or a partial consent giving could not ensure the complete provision of services, with regard to the indivudal purposes for which consent is not given.
We underline that, having regard to the request of information, although the consent to data processing is freely given, the consent itself is necessary to execute Data Subject’s request. Therefore, the sending of the request or a comparable manifestation of the Data Subject’s will, will be considered as consent giving, that will be always withdrawn with the aforementioned consequences.
When the data are no longer necessary, they are regularly erasure. If their erasure results impossible or executable only with a disproportionate effort due to a particular data storage mode, the data will not be processed anymore and will be stored in not accessible areas.
Right now, it is excluded the use of decision based solely on automated processing, as it is detailed by the Article 22 of the GDPR. If, in the next future,Data Controller decides to establish this kind of processing for individual cases, the Data Subject will separately receive a notice, if it is laid down by law or as updating of this privacy notice.
- Data processing methods
The personal data will be processed in paper and/or electronic format and will be entered into the relevant databases. In both cases, the data will only be accessed by operators who are expressly designated by the Data Controller as Data Processors and Operators in charge of processing personal data. They may be required to carry out operations which include consultation, use, processing, comparison and any other appropriate operations that may also be automated, in compliance with the provisions of law, and which are necessary to ensure, inter alia, the confidentiality, security and accuracy of the data, as well as updating the data and ensuring relevance with respect to the stated purposes.
Data processing useful for website navigation purposes
The computer systems and software processes, used to ensure this website running, acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. These are informations that are not collected to be associated with identified interested parties, but which, due to their very nature, could, through processing and association with data held by third parties, allow users to be identified.
Among the informations that could be collected we have: the IP addresses, the type of browser or the operating system used, the addresses in notation URI (uniform resource identifier), the domain name and the addresses of the websites from which the access or exit (referring / exit pages), the time at which the request was made to the server, the method used and information on the obtained response, further information about user’s navigation on the site (see also the related section to cookies) and other parameters relating to the operating system and the user’s computer environment. These same data could also be used to identify and ascertain responsibilities in case of any cyber attack against the website.