Information on the processing of personal data
Pursuant to and for the effects (i) of EU Regulation 2016/679 on the ‘protection of natural persons with regard to the processing of personal data, and on the free circulation of such data’, the “GDPR”, art.13 and (ii) of Legislative Decree of 30 June 2003, n. 196, the ‘Privacy Code’, also jointly called ‘Privacy Policy’, some obligations are set forth upon the subjects carrying out the processing – intended as ‘the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form available, comparison or combination, restriction, cancellation or destruction’ – of personal data referred to other subjects (The “Processing”).
SABO S.p.A. with registered office in Via Caravaggi, Levate (BG) – postal code 24040 (the “Company”) wishes to inform you, in the following sections, about the methods and purposes dealing with the processing of your personal data.
- A. Data Controller
The Data Controller is the person who determines the purposes and means of processing personal data (the “Data Controller”) and is identified in SABO S.p.A.
The Data Controller may be contacted by mail at the following address Via Caravaggi – Levate (BG) – Postal code 24040 or at the following e-mail address: privacy@sabo.com.
- B.Methods of collecting the data of the interested party
The Data Controller may come into possession of your data in the following circumstances:
- in case of a contact request through our website, by e-mail or phone, to request information about our services and products;
- in case of purchase of a product and/or a service carried out by our Company, including pre-contractual negotiations;
- if you provide your data to receive direct marketing communications, newsletters and/or to be updated on the events organised and the marketing initiatives carried out by the Company:
- if the commercial partners of the Data Processor legitimately transfers your personal data to the Controller;
- if the Data Controller acquires your personal data from other sources in accordance with the applicable laws and the requirements under Art. 14 of the GDPR (i.e. public registers, directories, acts or documents available to anyone within the limits and under the conditions provided by law on their knowability).
- C. Categories of data subject to processing
Data processed by Data Controller may include:
- Data related to natural persons that are necessary to sign and perform a contractual/commercial relationship with a customer/supplier, such as those referred to the customers/suppliers themselves or those of the legal representative of the customers/suppliers signing the contract for and on behalf of the latter or of the company’s internal representatives of the customers/suppliers themselves (i.e. name, surname, phone number, email, bank account), involved in the activities dealing with the main contractual/commercial relationship, as well as any other information necessary to perform the contractual/commercial relationship and/or provide services;
- Information relating to the modalities in which you use the Company’s website, you open or send the communications received by the Company, including the information collected through cookies and other tracking technologies;
- Images of you collected with photos/videos taken during any event organized by the Company.
(hereinafter also “Data”)
- D. Purposes and legal basis of the processing
Within the meaning of the Privacy Policy, the processing of personal data must be legitimised by one of the legal provisions provided by art 6 of the GDPR. These are specifically described for each purpose under which the Data Controller processes your Data:
- Management of the contractual relationship: the Data Controller shall process your data to reply to your requests, and to fulfil the preliminary requirements for the conclusion of the contract.Legal basis: processing is necessary for the performance of your contract or of the pre-contractual measures adopted upon your request (art. 6 par. 1 letter b of the GDPR).Data storage policy: The data that we collect only for an estimate will be stored for a maximum period of five years. The data processed to perform the contract may be stored for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question.
- Fulfilment of legally binding obligations: The Controller processes your data to fulfil any private law, administrative, fiscal, accounting obligation provided by law, a Regulation, the European legislation or by an order of the Authorities deriving from the outstanding relationship with you;Legal basis: processing is necessary for the performance of your contract (art. 6 par. 1 letter b of the GDPR) or to fulfil a legal obligation of the Controller (art. 6 par. 1 letter c of the GDPR)Data storage policy: Data may be stored for the period of time necessary to fulfil any legal obligation and, in any case, for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question.
- Defend the case for the Data Controller’s rights: if necessary, the Controller will provide all the information dealing with you to the Authorities and the bodies responsible for the enforcement of law, regulation or judicial documents, as well as to third parties into formal dispute. The Data Controller reserves the right to process your personal data to defend his or her rights deriving from the Contract before a judge, also for debt collection, directly or by third parties (debt collection agencies/companies), who will receive your data only for these purposes.Legal basis: processing is necessary for the purposes of the legitimate interest pursued by the controller, in order to defend a right or make further demands on the outstanding commercial relationship, except where such interests are overridden by the interests or fundamental rights (art. 6 par. 1 letter f of the GDPR).Data storage policy: your data may be stored for the necessary period of time in order to allow the Company to take actions or defend against eventual claims towards you or third parties.
- Marketing activities: Data collected in performing the sale of a product and/or service also through the Company’s website may be processed to send you commercial/promotional communications – by automated means (such as e-mail, sms or mms) and/or traditional ones (i.e. paper mail) related to services offered by the Company – and/or invitations to events organised by the company, as well as for the execution of market researches, statistical analysis or customer satisfaction analysis. analysis, you will be informed of the modalities to refuse consent to processing, easily and free of charge. As for promotional purposes of the company, with your consent, the Controller will collect and publish your image on any means of communication, on the company’s website, on social media or in the local, national or international newspapers as well as on any other means (existing or to be invented in the future).
Legal basis: you have given your consent as data subject of the processing (art. 6 par. 1 letter a of the GDPR).Data storage policy: data collected for marketing purposes may be stored until you withdraw consent, except when any image of you has been published on our website, social media or commercial brochures. - Promotional activities: in order to promote the core business of the Company, the Controller shall collect personal data pertaining to you (carried out during promotional events) and would share your image on any means of communication, on the Company’s website, on social media (for instance Facebook) or in the local, national or international newspapers as well as on any other means (existing or to be invented in the future), without any compensation.
Legal basis: you have given your consent as Data subject of the processing (art. 6 par. 1 letter a of the GDPR).Data storage policy: Data concerning your image will be stored in the controller’s database for twenty-four months. Then, they will be erased, except where they have been shared on the internet, social medias or commercial brochures. You can withdraw consent to the abovementioned processing at any time.
If the Controller intends to process your Data for other purposes than those mentioned above, he or she is required to inform you of these other purposes before performing it.
- E. Nature of consent to data processing
Consent to Data processing for letter a), b), c) purposes is mandatory since it is required to perform legal and contractual obligations. Any refusal or successive withdrawal may determine the inability for the Controller to fulfil the outstanding contractual relationship.
Instead, consent to Data processing for letters d) and e) is optional and the failure to give consent to the processing to those Data will determine the inability to carry out the Activities indicated therein.
- F. Data processing methods
Data processing will be carried out by the Company in compliance with the security measures under art. 32 of the GDPR, through manual, information system and computerised tools specifically designed to store, manage and transmit them to pursue only the purposes for which the data were collected and, in any case, to guarantee their security and confidentiality, as well as in full compliance with the principles of fairness, lawfulness and transparency.
No automated tools are used by the Controller to process Data.
- G. Data communication
Access may be granted to:
- Controller’s employees and associates in charge and/or internal Processors and/or system administrators;
- External third parties carrying out on behalf of the controller outsourcing activities for purposes dealing with support, administrative, accounting, fiscal areas or for purposes related to supply relationship or legal protection;
- Other third parties with the aim of providing the services specifically requested. The third parties are solely provided with the information necessary to carry out their respective functions;
- Supervisory bodies, judicial authorities and all other subjects which by law require such communication in order to achieve these purposes.
- H. Data transfer to a third country or an international organization
Personal data are processed within the European Union and stored on servers located there. In any case, it is understood that the Data Controller, if necessary, will have the right to transmit such data to a third country or an international organisation and/or move the servers even outside the EU. In this case, the Data Controller assures from now on that the transfer of non-EU data will take place in compliance with the applicable legal provisions, as per art. 44 and following of the GDPR.
- I. Data subject’s rights
The Company informs you that, pursuant to articles 15-22 of the GDPR and in relation to your personal data, you as Data subject may exercise specific rights at any time, by contacting the Data Controller, such as:
- Access to your personal data and information, i.e. the possibility to get the confirmation from the Data Controller that the processing of personal Data is in progress. In this case you can get access to own personal Data;
- Rectification of incorrect personal data, as well as the integration of the incomplete data (with an integrative statement);
- The right to deletion of your personal Data if (i) the personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;, (ii) you withdraw consent on which the processing is based and there is no other legal ground for the processing; (iii) the personal data have been unlawfully processed; (iv) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (v) the data subject objects to the processing pursuant to Article 21subsection 1 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 subsection 2 of the GDPR, (personal data processed for direct marketing purposes).
- Right to limitation of processing where the accuracy of personal data is contested (for the period necessary for the Data Controller to verify the accuracy of such personal data) or the processing is unlawful and/or the interested has opposed the Treatment asking for its limitation;
- Right to data portability like right to receive from the Data Controller personal data in a structured format, commonly used and readable by an automatic device and to transmit such data to another Data Controller, only for cases where the treatment is based on consent and only for data whose treatment is carried out by automated means;
- Right to object without prejudice to the right of the Data Controller to demonstrate the existence of legitimate reasons for proceeding with the Treatment anyway;
- Withdrawal of consent at any time, if the treatment is based on your explicit consent, without negative effects on the lawfulness of the treatments carried out until the exercise of the revocation;
- Right to lodge a complaint with a supervisory Authority of the Member State in which you reside or habitually work or the state in which the alleged violation occurred without prejudice to any other administrative or judicial appeal, in case of violation of the aforementioned regulation.
If you need further information on the processing of your personal data and to exercise the above mentioned rights, you can send a written request using the contacts provided in the ‘Data Controller’ section of this statement. If you request more information about your data, the Data Controller shall respond promptly – unless it is impossible or involves a manifestly disproportionate effort compared with the right to be protected – and in any case no later than thirty days from the request. The Data Controller will justify any inability or delay in doing so to meet the request.
Last update: October 2020