Website Legal Notes
PERSONAL DATA PROCESSING POLICY
pursuant to Legislative Decree 196/03 and EU Regulation no. 2016/679
SYGEST S.r.l. (hereinafter, the “Data Controller”),
Via Luciano Lama 10 – 43040
LEMIGNANO DI COLLECCHIO (PR)
Tel. +39 0521 304020 – VAT no. 01965100348
Email: firstname.lastname@example.org, Certified Email: email@example.com – Web: www.sygest.com
in its role as Data Controller,
hereby informs you
pursuant to Article 13 of Legal Decree no. 196 dated 30.06.2003 (hereinafter, the “Privacy Code”) and Article 13 of EU Regulation no. 2016/679 (hereinafter, the “GDPR”) that your data will be processed (acquired, stored, utilised and so forth) in the manner and for the purposes described herein.
- Parties Authorised to Complete Processing
The Data Controller is:
Sygest S.r.l., with registered office at Via Luciano Lama 10 – 43040 LEMIGNANO DI COLLECCHIO (PR).
Appointed as DPO (Data Protection Officer) on 01/05/2020 was the consulting company R.T. Consulting S.r.l.s., having registered office at Via Stradello Monte Cavallo 6 – 43124 Parma and VAT no. 02928270343. The Administrative Office of the company SYGEST S.r.l. is in charge of processing communications with Data Subjects and policy/consent management.
For the sake of brevity, an up-to-date list of the other Data Processors and persons in charge of the processing is not given in full yet is stored at the Data Controller’s registered office and may be requested at any time, as set out in the last Article herein.
- Scope of the Processing
The Data Controller processes personal, identifying data (such as first name, surname, company name, address, telephone number, email, bank details and payment information), hereinafter referred to as “Personal Data” (or “Data”), communicated by you in connection with the signing of contracts for the Data Controller’s services/products.
- Purposes of the Processing
Your Personal Data shall be processed:
- Without your express consent (Article 24[a], [b] and [c] of the Privacy Code and Article 6[b] and [e] of the GDPR) for the following service objectives:
- Entering into contracts for the services/products of the Data Controller;
- Complying with existing pre-contractual, contractual and fiscal obligations deriving from rapports with you;
- Fulfilling the obligations established by law, by a regulation, by EU legislation or by an order of the Authority (such as for anti-money laundering);
- Exercising the rights of the Data Controller, for example the right to defence in court.
- Only with your specific and distinct consent (Articles 23 and 130 – Privacy Code and Article 7 – GDPR), for the following Marketing purposes:
- Sending you via email, post and/or telephone contact any newsletters, commercial communications and/or publicity material on products or services offered by the Data Controller or any surveys on satisfaction regarding the quality of services;
- Sending you via email, blog, post, text message and/or telephone contact any commercial and/or promotional communications from third parties (such as business partners, etcetera).
We hereby inform you that if you are an existing customer, we are may send you commercial communications related to the Data Controller’s services and products similar to those you have already utilised, unless you disagree (Article 130 – Privacy Code).
- Manner of Processing
The processing of your personal data is performed by way of the operations indicated in Article 4 of the Privacy Code and Article 4(2) of the GDPR, namely: collection, recording, organisation, structuring, retention, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data. Your personal data is subject to both paper and electronic and/or automated processing.
The Data Controller will process your personal data for the time necessary to fulfil the aforementioned purposes and for a period not exceeding 10 years from the termination of the relationship for Service Purposes and not exceeding 2 years from the date on which the data was collected for Marketing Purposes.
- Access to Data
Your data may be made accessible for the purposes set out in Articles 3(A) and 3(B), namely:
- To employees and contractors of the Data Controller in Italy, in their capacity as Data Processors and/or internal Data Processors and/or System Administrators;
- To third-party companies or other entities (by way of example, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services and so on) that perform outsourcing activities on behalf of the Data Controller, in their capacity as external Data Processors.
- Communication of Data
Without the need for express consent (pursuant to Article 24[a], [b] and [d] of the Privacy Code and Article 6[b] and [c] of the GDPR), the Data Controller may communicate your data for the purposes of Article 3(A) to judicial authorities, to insurance companies for the provision of insurance services, as well as to those subjects to whom communication is required by law for the fulfilment of the aforementioned purposes. The said bodies with process the data in their capacities of autonomous Data Controllers.
Your data shall not be disseminated.
- Transfer of Data Abroad
Personal data is stored either on computerised media or on unmanaged cloud computing (since all our clients access their data on the cloud through a Data Management Application that prevents the visibility of other tenants’ data) or on internal servers managed directly and exclusively by the company SYGEST S.r.l. at its head office at Via Luciano Lama 10 – 43040 LEMIGNANO DI COLLECCHIO (PR), within the European Union.
Personnel with direct access to all cloud data are exclusively the Data Centre Manager, Chief Technology Officer and any persons temporarily delegated by them for service needs.
All PII (Personally-Identifiable Information) is managed using an encryption system, the keys for which are handled and guarded by the company SYGEST.
It is in any case understood that the Data Controller, should it become necessary, will ask for further consent to moving the servers and the data contained therein also outside the EU, subject to termination of the contract behind the management of the data. In this case, the Data Controller guarantees that the transfer of data outside the EU will take place in accordance with applicable legal provisions, subject to the standard contractual clauses stipulated by the European Commission.
- Nature of Data Conferment and Consequences of Refusing to Reply
The provision of data for the purposes set out in Article 3(A) is obligatory. In the absence of such, we will not be able to guarantee the Services under Article 3(A).
The provision of data for the purposes set out in Article 3(B) is however optional. You may thus decide not to provide any data or to subsequently deny the possibility of processing data provided prior. In this case, it will not be possible to receive newsletters, sales communications or advertising material generally, inherent in the services offered by the Data Controller. You shall nevertheless continue to be entitled to the Services referred to in Article 3(A).
- Rights of the Data Subject
In your capacity as Data Subject, you have the rights under Article 7 of the Privacy Code and Article 15 of the GDPR, namely the right to:
- Obtain confirmation of the existence or not of personal data concerning you, even if not yet registered, and its communication in an intelligible form;
- Obtain information on: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the event of processing conducted with the aid of electronic instruments; d) the identity of the Data Controller, Data Processors and the representative designated pursuant to Article 5 of the Privacy Code and Article 3 of the GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of such in their capacity as appointed representatives of the State, Managers or Data Processors.
- Achieve: a) the updating, rectification or – where relevant – integration of data;
- b) the erasure, transformation into anonymous form or blocking of data processed unlawfully, including that which does not need to be stored for the purposes for which the data was collected or subsequently processed;
- c) attestation that the operations per letters a) and b) have been disclosed, also as regards their content, including those to whom the data has been communicated or disseminated, except in the case in which such fulfilment proves impossible or involves the use of means that are manifestly disproportionate to the protected right;
- Object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning you, even if pertinent to the purpose of collection; b) to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, by means of automated calling systems without operator intervention, via email and/or by traditional marketing methods by telephone and/or post – it should be noted that the Data Subject’s right to opposition, as set out in Point b) above, to direct marketing purposes through automated methods extends to traditional ones and that in any case, the Data Subject maintains the right to exercise the right to opposition, even if only partially. Consequently, the Data Subject may choose to receive only communications via traditional means, only automated communications or neither.
Where applicable, the Data Subject also has the rights set out in Articles 16–21 of the GDPR:
- Right of Rectification (amendment, supplementation);
- Right to be Forgotten (deletion of personal data);
- Right of Restriction of Processing;
- Right to Data Portability (transfer of data in a structured, commonly-used and machine-readable format);
- Right to object to processing;
- Right to file a complaint with the Data Protection Authority.
- How to Exercise Your Rights Under Articles 16–21 of the GDPR
As Data Subject, you may at any time exercise your rights or request clarification by sending a letter to the kind attention of the Administrative Office (indicating in the subject line Privacy followed by the reason (for example, Privacy – Erasure”):
- A registered letter with return receipt to SYGEST Srl – Via Luciano Lama 10 – 43040 LEMIGNANO DI COLLECCHIO (PR);
- An email sent to firstname.lastname@example.org.
Or by contacting the DPO – R.T. Consulting S.r.l.s. via:
Lemignano di Collecchio, 05.09.22
The Legal Representative of the company SYGEST S.r.l.
Engineer Artemio Bisaschi