Policy pursuant to article 13 and following of EU Regulation no. 2016/679 (GDPR)
Pursuant to articles 13-14 and following of the EU Regulation no. 2016/679 (GDPR), we provide the following notice
This statement is made by Scovaventi S.S. Agricola (Scovaventi)., with registered office in Loc. X Campigliola Paglieto, 56 – Manciano (GR) in its quality of Data Controller.
Email contact details of the Data Controller for information regarding the processing: firstname.lastname@example.org
The data collected are processed in accordance with the principles of correctness, transparency, limiting them solely to the purposes necessary for the exercise of their activity, minimizing, updating and adopting all the necessary measures to ensure the accuracy of the data processed and, finally, ensuring the confidentiality and integrity of the same.
Data processing is done by manual, telematic and IT procedures; safety measures are adopted to avoid the risk of unauthorized access, destruction or loss, treatment not allowed or not in accordance with the purpose of the collection.
It should be noted that in the following policy when citing the terms such as Data Controller, Data Subject, Data Processor, reference is made to the definitions of the same as laid down pursuant to art. 4 of the EU Regulation no. 2016/679 (GDPR).
Categories of personal data processed
Scovaventi S.S. Agricola will process the following personal data:
- Personal records, address of residence or domicile and contact details (g. phone, email address, PEC address), more generally personal identification data;
- Electronic identification data;
- Bank details, payment and / or financial data;
- Health data, such as certifications aimed at obtaining tax reductions and / or exemptions;
- Family data;
- Data of telematic traffic;
- Judicial data;
- Union membership data.
Scovaventi S.S. Agricola, as also highlighted in this list, processes or could also process data falling within those provided for in art. 9 first para of the EU Regulation no. 2016/679 (GDPR) (so-called “special categories of personal data”). This processing, which will take place according to the principles of correctness, lawfulness, transparency and protection of confidentiality, is permitted and carried out in compliance with the provisions of art. 9 second para lett. a), b) and f) of EU Regulation no. 2016/679 (GDPR).
Categories and types of processing
The data provided are processed by Scovaventi S.S. Agricola for the execution of operations such as:
collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, comparison, interconnection, limitation, cancellation or destruction.
This list is merely an example of some of the types of processing that are put in place on the basis of data which Scovaventi S.S. Agricola controls.
The types of further processing that can be implemented, in addition to those indicated above, are for example: automated and systematic evaluation processes, profiling, systematic surveillance and use of new technologies or application of technical and organizational means.
Of the latter types of processing, if any, will be given appropriate indication in the present policy at the paragraph “Purpose and legal basis of the processing“.
Purpose and legal basis of the processing
The data provided are processed by Scovaventi S.S. Agricola for the following purposes:
- compliance with legal obligations, or institutional purposes as provided by the Statute of Scovaventi S.S. Agricola, as well as for the fulfillment of obligations arising from contracts from time to time executed between Scovaventi S.S. Agricola and the users involved in the processing;
- Administration and management of personnel;
- IT security: the Data Controller, in line with the provisions of Recital 49 of EU Regulation no. 2016/679 (GDPR), processes, also through its suppliers (third parties and / or recipients), the personal data of the Data Subject related to traffic in strictly necessary and proportionate measure to ensure network and information security, i.e. the ability of a network or information system to resist, at a given level of security, unforeseen events or illicit or malicious acts that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted. The Data Controller will promptly inform the Data Subjects, if there is a particular risk of breach of their data, in compliance with the obligations deriving pursuant to art. 33 of EU Regulation no. 2016/679 (GDPR) concerning notifications of breach of personal data.
The legal basis for such processing is compliance with legal obligations and the legitimate interest of the Data Controller to carry out processing with the aim of protecting the company assets and the security of the offices and systems;
- Profiling: the personal data of the Data Subject may also be processed for profiling purposes, as defined in art. 4 of EU Regulation no. 2016/679 (GDPR); the personal data of the Data Subject, including both these cd. Particular Data (Art. 9 GDPR) or Judical Data (Art 10 GDPR), will be processed to allow checks for the purpose of monitoring and preventing payments and / or fraudulent defaults by software systems that carry out an automated verification prior to the start of the compulsory phase of the claims claimed by the Owner. This treatment is carried out for the legitimate interest of the Data Controller;
- Soft Marketing e Marketing: it is the scenario in which the Data Controller wants to use the data provided by customers for further purposes, such as sending promotional communications relating to services provided by the Controller or by third parties, for example:
- commercial and promotional information, direct sales, market research on products, services and events, distribution of vouchers or coupons for the withdrawal of small prizes / giveaways minimum economic value (hereafter jointly referred “marketing”). The processing for marketing purposes will take place through the use of remote communication techniques, such as telephone, e-mail, mms, sms, whatsapp, app, social media network and others, also through automated systems. The provision of personal data for this purpose is optional and the processing requires the consent of the interested party. The consent given for sending commercial and promotional communications through automated tools also extends to traditional contact methods. This activity, however, is subject to the presence of the following requirements:
- can only be carried out for the transmission of emails (phone calls are excluded);
- the email of the Data Subject / customer must be the one indicated when buying products or services;
- messages must be sent for direct sales of products and / or services provided by the Controller (and not by third parties);
- the product or service must be similar to those already purchased by the Data Subject or, at least, connected to it;
- the recipient must not have refused, at the beginning or during the course of processing, the sending of promotional communications and, moreover, must have the possibility to oppose the processing of data at any time, free of charge and in a simple way (opt-out option present in the mails sent).
This type of service allows to manage a database of email contacts, telephone contacts or contacts of any other type, used to communicate with the user / Data Subject. These services, it is specified, could also allow to collect data relating to the date and time of display of messages by the user / Data Subject, as well as information on clicks on links inserted in the messages.
- Ecommerce: Data Controller allows you to directly purchase your products from your website. On this occasion, the user may or may not register their account on the website and then complete the order. The data that will be processed are those necessary for the issuance of the invoice (i.e. identification data, accounting data, payment data), those for shipping and those for navigation through profiling cookies. The payment systems made available to the Data Controller on its website are those by credit card and PayPal (in relation to the latter payment method, please refer to the PayPal privacy page: https://www.paypal.com/en/webapps/mPP/ua/privacy-full).
- Newsletter: the newsletter service consists of sending electronic communications as a result of the express request of the recipient / Data Subject, for which is sufficient the consent provided by the same when completing the registration form to the newsletter service where this policy is shown. It should be noted that there is no further processing of data compared to the mere sending of the newsletter and, in any case, the data collected are those strictly necessary to send the newsletter itself. This type of service allows to manage a database of email contacts, telephone contacts or contacts of any other type, used to communicate with the user / Data Subject. These services, it is specified, could also allow to collect data relating to the date and time of display of messages by the user / Data Subject, as well as information on clicks on links inserted in the messages. For the newsletter, the Data Controller uses the following software: MailChimp: it is a platform created for the marketing management of small companies. The company that owns the platform is The Rocket Science Group, LLC, 675 Ponce de Leon NE, Suite 5000, Atlanta, GA 30308 USA. For the management of privacy, see the company’s website: https://mailchimp.com/legal/privacy/
- Personal data collected for the sole purpose of anti-fraud procedures, unlike the data necessary for the correct execution of the service, will be immediately canceled at the end of the control procedures.
- Online payments: the retention of financial data does not take place because the transactions are not managed through the company’s website but directly by the financial institutions (payments made by bank transfer) or the Paypal platform which also manages the transactions.
The Data Controller shall use appropriate security measures to preserve the confidentiality, integrity and availability of personal data of the Data Subject and imposes similar security measures on third party suppliers and data processors.
Categories of third parties to whom the data may be communicated
The data held by the Data Controller may be disclosed to third parties for the fulfillment of legal obligations, as well as for the execution of the contract signed between Scovaventi S.S. Agricola and the individual user / Data Subject and, moreover, since the personal data of the Data Subject will be communicated mainly to third parties and / or recipients whose activity is necessary for the performance of activities related to the activity of the Data Controller and to meet certain legal obligations, the data may be comunicated to the following categories of subjects:
- Third-party suppliers who carry out for Scovaventi S.S. Agricola technical and organizational services (e.g. maintenance and software management, printing and sending correspondence);
- Credit and digital payment institutions, banking / postal institutions (for the purpose g. of collection management, payments);
- Firms, consultants and companies in the field of assistance and consultancy transactions (e. fulfillment of legal obligations, exercise of rights, protection of contractual rights, credit recovery);
- Financial Administration, Public Bodies, Judicial Authorities, Supervisory and Control Authorities (and this for purposes such as, among others, the fulfillment of legal obligations, the defense of rights, the formation or updating of lists and registers held by public Authorities or similar bodies based on specific legislation);
- Formally delegated persons or persons with recognized legal title (i.e. legal representatives, curators, tutors).
The Data Controller imposes on the Third Party suppliers and on the Data Processors the respect of security measures equal to those adopted towards the Data Subject, restricting the powers of action of the Data Processor to the processing activities related to the requested performance, and requesting that the Data Processor itself adopts and respects the duties imposed by the EU Regulation no. 2016/679 (GDPR) in relation to the processing of data with which it comes into contact.
The Data Controller does not transfer personal data to countries where EU Regulation no. 2016/679 (GDPR) is not applied (non-EU countries), or countries with which it is not specifically envisaged an agreement with the EU Authorities or with individual Member States (e.g. Privacy Shield EU-US). Otherwise, it will be the Data Controller’s responsibility to inform the Data Subject in advance of this type of transfer.
The legal basis for such processing is the performance of the services inherent to the institutional duties of the Data Controller, compliance with legal obligations and the legitimate interest of Scovaventi S.S. Agricola to carry out the processing necessary for these purposes.
Joint Data Controller
Scovaventi S.S. Agricola for the performance of its business, especially in the marketing sector, it makes use of programs and social networks which, by their nature, are to be considered as Joint Data controllers. Specifically, Scovaventi S.S. Agricola use the following promotional tools:
- Facebook and Instagram: they are social networks in which individual users must previously and independently register. The data acquired through social media are managed in the manner provided for the same, to which reference in made: https://it-it.facebook.com/privacy/explanation.
External Data Processors
Scovaventi S.S. Agricola during the data processing males use of the following external data processors to whom the data of the Data Subjects may be communicated or accessed:
- Zuccheti: supplier and maintaniner of the Ad Hoc Revolution software, software that is used as company management;
- Andrea Imparato: professional who takes care of the bookkeeping relating to the Data Controller and provides the Team System software for electronic invoicing;
- Enzo Bergamini and Simona Albini: professionals who perform the role of job consultants in the interest of the Data Controller;
- Yes I Am: as a website maintainer and newsletter software;
- Aruba: as the website hosting provider;
- Linkway: in its function of hosting provider maintainer of internal netowrk.
Details to contact the individual external data processors will be provided, where necessary and after a written request sent by email to the address of the owner of the Data Controller email@example.com.
Duration of processing and storage period
The data will be processed, and stored, until they are necessary with respect to the legitimate purposes for which they were collected, or until an explicit request for cancellation of the data according to the provisions of the Regulation EU no. 2016/679.
In the event that the user / Data Subject send personal data to Scovaventi S.S. Agricola not requested or not necessary for the performance of their activity, Scovaventi S.S. Agricola can not be considered the Controller of these data and will delete them as soon as possible.
The personal data will in any case be kept for the fulfillment of the obligations (e.g. fiscal and accounting obligations) that remain in force even after the termination of the contract (article 2220 of the Italian Civil Code). For these purposes the Data Controller will only retain the data necessary for the relative pursuit of the obligations imposed by law.
Except in cases where the rights deriving from the contract are to be asserted in court, in which case the personal data of the Data Subject, exclusively those necessary for such purposes, will be processed for the time necessary for their pursuit.
Rights of the Data Subject
The Data Subject has the right to obtain from the Data Controller the following:
- The confirmation that personal data is being processed and in this case, to obtain access to personal data and to the following information:
- The purposes of the processing;
- The categories of personal data in question;
- The recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations;
- When possible, the foreseen retention period of the personal data, or, if it is not possible to identify the term, the criteria used to determine this period;
- The existence of the right of the Data Subject to ask the Data Controller to rectify or delete personal data, where possible, or to limit the processing of personal data concerning him or to oppose their treatment;
- The right to lodge a complaint with a control Authority;
- If the data are not collected from the Data Subject, all information available on their origin;
- The existence of an automated decision-making process, including profiling, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the Data Subject;
- The appropriate guarantees provided by the third country (non-EU) or by an international organization to protect any transferred data.
- The right to obtain a copy of the personal data being processed, provided that this right does not affect the rights and freedoms of others. In case of further copies requested by the Data Subject, the Data Controller will be entitled to charge a reasonable fee based on administrative costs.
- The right to obtain from the Data Controller the correction of inaccurate personal data concerning him without undue delay.
- The right to obtain from the Data Controller the deletion of personal data concerning him without undue delay, if the reasons set forth in EU Regulation no. 2016/679 (GDPR) pursuant to art. 17, among which, for example, the case in which they are no longer necessary for the purposes of the processing or this is assumed to be illegal, and always if the conditions required by law exist. The rights referred to in paragraphs 1 and 2 of art. 17, pursuant to paragraph 3 lett. b) of the same article do not apply in the event that the processing is necessary for the fulfillment of a legal obligation that requires the processing provided for by the right to which the Data Controller is subject or for the performance of a task performed in the public interest;
- The right to obtain from the Data Controller the limitation of the processing, in the cases provided for by article 18 of the EU Regulation no. 2016/679 (GDPR), such as for example where its accuracy is contested, for the period necessary for the Data Controller to verify its accuracy. The Data Subject must be informed, in reasonable time, also of when the suspension period is over or the cause of the limitation of the processing has ceased, and therefore the limitation itself revoked. Pursuant to article 18, second paragraph of the EU Regulation no. 2016/679 (GDPR), if processing is limited, such personal data may still be processed if the processing is carried out for reasons of public interest that are relevant to the Union or to a Member State.
- The right to obtain communication from the Data Controller of the recipients to whom the requests for any corrections or cancellations or limitations of the processing have been transmitted, unless this proves impossible or involves a disproportionate effort;
- the right to receive, in a structured format, commonly used and readable by automatic device, the personal data concerning him and the right to transmit such data to another Data Controller without impediments by the Data Controller who supplied them; in the cases provided for by art. 20 of the GDPR, and the right to obtain the direct transmission of personal data from one Data Controller to another, if technically feasible.
- The Data Subject has the right to object at any time, for reasons connected with his particular situation, to the processing of personal data concerning him, pursuant to article 6 first paragraph, lett. e) or f), including profiling on the basis of these provisions. In this case, the Data Controller will refrain from further processing personal data unless he proves the existence of binding legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the Data Subject or the assessment, the exercise or the defense of a right in C
Right to propose a Complaint to the Data Protection Authority, or Appeal to the judicial authority
The Data Subject has the right to choose the legal protection remedy that he considers most effective, opting between the claim to the Data Protection Authority and the appeal before the Judicial Authority. The choice of one procedure excludes the other. The Data Subject can contact the Authority through a complaint as provided for in accordance with article 77 of the EU Regulation no. 2016/679 (GDPR). This protection is alternative to any other action taken or to be established in front of the ordinary Judicial Authority pursuant to art. 82 of the EU Regulation no. 2016/679 (GDPR).
Data Protection Officer (DPO)
The Data Protection Officer is Avv. Valerio Nicosia of the Court of Verona, with firm’s address in Corso Porta Nuova, 34 37122 – Verona.
Email address: firstname.lastname@example.org.