pursuant to Articles 13 and 14 of Regulation (EU) 2016/679
pursuant to Articles 13 and 14 of Regulation (EU) 2016/679
Following the entry into force of the Regulation (EU) 2016/679 on personal data protection (“GDPR”), with this document (“Notice”), the Data Controller, as defined below, informs you about the purposes and methods of the processing of your personal data and about your rights as data subject.
This Notice is addressed to employees, administrators and contacts of the clients as legal entities whose data the Data Controller has to process in order to enter into the contract or follow it through.
1. Who the data controller is
The data controller is Carlo Gavazzi Automation Spa, with registered office in Milano, in the person of its pro tempore legal representative.
You may contact the Data Controller to exercise your rights as listed in paragraph 8 below, as well as to ask for any further information, at the following email address: [email protected].
2. Which personal data we process
For the purposes set forth in this Notice, the Data Controller processes the following personal data:
- Common anagraphic data: name, surname, address, phone number, e-mail address and other contact details;
- data relating to concluding the contract.
Your personal data processed by the Data Controller is that provided directly by you or supplied by a third party (e.g. the company for which you work, client of the Data Controller). This Notice also covers the processing of your personal data supplied by third parties.
3. Purposes of processing and legal basis
3.1 Execution of a contract and compliance with legal obligations
The processing to which your personal data will be subjected is aimed at carrying out the activities connected to the execution of a contract for the supply of products and services, the subsequent management of administrative, accounting and fiscal obligations and the fulfilment of obligations provided for by laws, regulations and EU legislation, as well as by any instructions given by legalised authorities and by supervisory and inspection bodies.
For the processing of your persona data, aimed at executing a contract and complying with the related legal obligations, the legal basis of the processing is the legitimate interest of the Data Controller to process the personal data of the employees, administrators and contacts of the client as legal entities for the purpose of fulfilling a contract signed with the client, pursuant to Article 6, paragraph 1, letter f), of the GDPR.
Consequently, your personal data will be processed only in so far as is strictly necessary for the management of the current relationship between the Data Controller and the company for which you work, client of the Data Controller, and for compliance with a legal obligation to which the controller is subject, pursuant to Article 6, paragraph 1, letter c) of the GDPR.
3.2 Marketing communications
The Data Controller may process your contact details for the purpose of sending you direct marketing communications, such as catalogues, promotions, invitations to events and other information related to the products of the Carlo Gavazzi Group.
The sending of direct marketing communications does not require your consent, because the legal basis of the processing is the legitimate interest of the Data Controller.
We inform you that, at any time, you have the right to object to direct marketing activities, by contacting the Data Controller at one of the contact details indicated in paragraph 1 of this Notice.
4. Nature of the provision of personal data and consequences of a refusal to supply it
The provision of your personal data is a mandatory requirement to enter into the contract and execute it.
Your refusal to provide the requested personal data will result in the impossibility for the Data Controller to follow through your pre-contractual and contractual requests and to execute the contract.
However, the provision of your personal data for the sending of direct marketing communications is not mandatory. The refusal to provide such personal data or the decision to object to its processing for direct marketing purposes will not prevent the Data Controller from executing the contract signed with the company for which you work, but will prevent the Data Controller from sending communications related to the products and services of the Carlo Gavazzi Group.
5. Period of retention of your personal data
The Data Controller will process your personal data for as long as is necessary for the management of the contract and the related legal obligations.
For marketing purposes, your contact details will be retained by the Data Controller for the whole of the period of the contract and for an additional period of 24 months as from the termination of the contract. At the end of this period such data will automatically be deleted or permanently made anonymous.
For all other purposes your personal data will be retained for a maximum period of 10 years, plus one, as from the termination of the contract, in accordance with the applicable law.
6. Methods by which your personal data will be processed
Your personal data will be processed, pursuant to the provisions of the GDPR, by means of paper, computerized and telematic tools, strictly according to the purposes indicated above and in an appropriate way to guarantee its security and confidentiality in accordance with Article 32 of the GDPR.
7. Who your personal data may be communicated to and who may get to know it
For the purposes described in paragraph 3 above, your personal data will be processed by employees who are authorized to process this data, by authorized professionals and by the Data Controller’s personnel.
Your personal data will also be processed by the following third parties:
a) Persons who, for various reasons, the Data Controller has recourse to for the execution of the contract;
b) service providers for the management of the IT system and data storage;
c) legal and/or fiscal and/or labour law consulting service providers;
d) supervisory and inspection bodies and authorities.
The above subjects shall act, in some cases, as autonomous data controllers, in other cases as data processors specifically appointed by the Data Controller pursuant to Article 28 of the GDPR.
You can request a complete and updated list of those to whom your personal data may be communicated by writing to the email address: [email protected].
Personal data processed by the Data Controller will also be transferred outside the European Union. In any case, the Controller assures you that your personal data will be transferred to third countries that guarantee an adequate level of protection, in compliance with the specific conditions required by Articles 45, 46 and 49 of the GDPR.
Your personal data will not be disclosed to the public.
8. Your rights as data subject
With regard to the processing described in this Notice, as data subject and in accordance with GDPR conditions, you may exercise any of the rights included in Articles 15 to 21 of the GDPR. In particular:
- Managing Your Information - Right of access – Article 15 of the GDPR: the data subject shall
have the right to obtain from the data controller confirmation as to whether or not their personal
data is being processed and, where that is the case, access to the personal data and the following
information (also by receiving a copy of the same):
a) the purposes of the processing;
b) categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data has been or will be disclosed;
d) where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine such period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of the processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with the supervisory authority;
g) the source of the personal data, if not collected directly from the data subject;
h) the existence of automated decision-making, including profiling;
- Rectification of Inaccurate or Incomplete Information - Right to rectification – Article 16 of the
GDPR: the data subject shall have the right to obtain from the controller, without undue delay, the
rectification of inaccurate personal data and/or the right to have incomplete personal data
- Erasure - Right to erasure – Article 17 of the GDPR: the data subject shall have the right to obtain
from the controller the erasure of their personal data without undue delay, if:
a) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
b) you withdraw your consent, and there is no other legal ground for the processing;
c) you object to the processing of your personal data on legitimate grounds;
d) the personal data has been unlawfully processed;
e) the personal data has to be erased for compliance with a legal obligation;
f) the personal data has been collected in relation to an offer from information services referred to in Article 8, first paragraph, of the GDPR.
Please note that if you request the erasure of your personal data, we may retain and use your personal data to the extent necessary to comply with our legal obligations or for the performance of a duty carried out in the public interest or in the exercise of official authority vested in the Data Controller, or for the establishment, exercise or defence of legal claims;
- Restriction of processing - Right to restriction of processing – Article 18 of the GDPR: the
data subject shall have the right to obtain from the controller restriction of processing if:
a) the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims;
d) You have objected to the processing pursuant to Article 21, first paragraph, of the GDPR, pending verification as to whether the legitimate grounds of the controller override yours.
- Data Access and Portability - Right to data portability – Article 20 of the GDPR: the data
subject shall have the right to receive, in a structured, commonly used and machine-readable
format, the personal data concerning yourself provided to the Data Controller and the right to
transmit that data to another data controller without hindrance, if the processing is based on
consent and is carried out by automated means. The data subject shall also have the right to have
their personal data transmitted directly from one data controller to another data controller, where
- Right of opposition – Article 21 of the GDPR: the data subject shall have the right to object, at
any time, to the processing of their personal data, based on the legitimacy of legitimate interest,
including profiling, unless there are legitimate reasons for the Data Controller to continue
processing which prevail over your interests, rights and freedom, or for the establishment, exercise
or defence of a right in court;
The above rights may also be exercised by contacting the Data Controller, using the contact details indicated in paragraph 1. The Data Controller will take care of handling your request and provide you, without undue delay and, in any case, no later than one month after receipt of your request, with information related to the actions taken regarding your request.
The exercise of your rights as data subject is free according to Article 12 of the GDPR. However, in the case of clearly unfounded or excessive requests, also due to their repetitiveness, the Data Controller may charge a reasonable fee, in light of the administrative costs incurred for managing your request, or refuse to satisfy your request.
Finally, we inform you that the Data Controller may request further information in order to confirm your identity.