1. TYPE OF DATA PROCESSED BY THE COMPANY THROUGH THE WEBSITE
Under the Privacy laws, the Data Controller processes the following personal data your provide (your “Personal Data”) when you navigate the Website [when you register in the Reserved Area]:
1. general identification data (such as, by way of example and not limitation, name, surname, e-mail address, etc.);
1.1 Data obtained when a User navigates the Website
The computer systems, cookie technology, and software procedures used for the running of the Website acquire, over the course of their normal operation, certain data which transmission is implicit to the use of the Internet. This information is not collected to be associated to identified data subjects; however, the nature of said data might, through processing and associations with data held by third parties, allow the identification of the Users who navigate a website.
This category of data include, by way of example, IP addresses or domain names of the computers used by the Users connecting to the Website, the pages viewed by Users within the Website, the domain names and the Internet addresses from which Users have accessed the Website (through referrals), the URL (Uniform Resource Identifiers) of the queries made, the time of queries, the method used to submit a query to a web server, the size of the file obtained in reply, the numeric code indicating the status of the reply from the web server, and the other parameters on the type of browser used (e.g., Internet Explorer, Google Chrome, Firefox), the operating system (e.g., Windows), and the User’s computer environment.
2. LEGAL GROUNDS AND PURPOSES FOR THE PROCESSING OF PERSONAL DATA
The legal ground for the Processing of your Personal Data, collected through the Website, is your consent.
2.1 We wish to also inform you that your Personal Data shall be processed without your consent, under Article 6 of the GDPR, for the following purposes (the “Purposes”):
1. provide the maintenance and technical assistance required to ensure the proper operation of the Website and the services connected thereto;
2. improve the quality and the structure of the Website, and create new Website Services, functionalities, and/or characteristics;
3. allow the Data Controller to provide its Services;
4. allow the Company to exercise its rights in legal proceedings and to handle litigation;
5. comply with obligations of law and/or regulation;
6. the collaboration with the public authorities, and the prevention and suppression of unlawful acts, including by way of disciplinary measures;
7. for statistical and historical purposes, if any.
3. PROVISION OF PERSONAL DATA
The provision of data by Users is mandatory for the purposes of the service as per points 2.1 and 2.2 herein. Where Users should refuse to provide said data, the Company may be unable to provide the Services offered through the Website.
The provision of the data by Users is optional for the commercial purposes as per point 2.3 above. Where Users should refuse to provide said data, they will not receive any commercial communications on products, initiatives and/or services offered by the Data Controller. However, they may still access the services under points 2.1 and 2.2 above.
4. PROCESSING OF PERSONAL DATA AND METHODS OF PROCESSING
We inform you also that the processing of your Personal Data may, under Article 4 of the GDPR, consist in the following activities (the “Processing”): collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or otherwise making available, alignment, interconnection, restriction, erasure, or destruction of the Personal Data.
We also inform you that your Personal Data:
• shall be processed in line with the principles of lawfulness, fairness, and transparency;
• shall be collected for the legitimate Purposes indicated above;
• shall be adequate, relevant, and limited to what is necessary for the Purposes for which they are processed;
• shall be stored, in a form that enables your identification, for a period of time not exceeding the attainment of the Purposes for which they are processed, and, in any case, not exceeding 1 year of their collection for the Purposes under point 2.1 and 2.2, and not exceeding 1 year of their collection for the commercial purposes under point 2.3 herein.
• shall be processed in a manner such as to ensure adequate security from the risk of destruction, loss, modification, distribution, or unauthorised access, by implementing technical and organisational security measures;
Your Personal Data may be processed through the use of paper media, automated, computer, or telecommunication tools, with organisational means and a logic strictly connected to the Purposes indicated above.
The Data Controller uses the most appropriate technological and security measures (electronic, computer, physical, organisational, and procedural) to ensure the security and confidentiality of the data processes. Such measures include maintaining a secure system for storing and using data, based on encryption, detection of intrusions, and prevention and protection software.
Users, however, acknowledge that the very communication of personal data via Internet sites presents risks connected to the disclosure of such data, and that no system is completely secure or immune from tampering and/or intrusions by third parties.
5. ACCESS TO PERSONAL DATA
Without prejudice to the communications carried out in compliance of the obligations of law and/or regulation, your Personal Data may be made accessible, for the Purposes, to:
a) Employees and/or collaborators in our headquarters or territorial offices, duly authorised by the Data Controller, in their capacity as persons authorised to process Personal Data and/or system administrators.
6. COMMUNICATION OF PERSONAL DATA
Without the express consent of the User (under Article 6, letters b) and c) of the GDPR), the Data Controller may communicate the User’s data for the Purposes of the service as per points 2.1, letters d) and f), to supervisory and/or control bodies, judicial Authorities and any other entities to whom the Data Controller is under legal obligation to disclose such data for the performance of the above Purposes, in their capacity as autonomous data controllers.
The Users’ data shall not be disclosed to the public or to unknown parties.
In addition to the Data Controller, in certain cases the Personal Data may be accessed or processed, in the Data Controller Country and abroad, for the above Purposes, by categories of third-parties involved in the organisation of the Data Controller or the Website - who, if required, are appointed as Processors by the Data Controller - including, by way of example,
• providers of third-party technical services;
• couriers and postal services;
• hosting providers;
• information technology companies;
• experts or consultants (on legal, commercial, administrative, fiscal, tax, city planning, environmental, and quality and security matters, and on issues pertaining to financial statement certifications, the Group’s listing in the Stock Exchange, etc.) who have been assigned tasks for which the knowledge of the Users’ Personal Data is required;
• communication agencies;
• credit institutions
• insurance companies;
• companies within the SOL Group (for management, statistical, or data consolidation needs).
7. DATA TRANSFER OUTSIDE THE EU
Your Personal Data shall not be transferred to recipients other than those indicated in this document.
Your Personal Data may be communicated abroad exclusively for the Purposes.
Your Personal Data may be transferred to non-EU Countries exclusively within the terms and with the guarantees provided for in the Privacy Laws and within the limitations of what is useful to best manage the service.
8. YOUR RIGHTS
We wish you to know that, in your capacity as data subject, you have the legal right to revoke your consent to the processing of your personal data at any time. Furthermore, you may, at any time, exercise the following rights (“Your Rights”):
a) the “right of access” to your Personal Data as per Article 15 of the GDPR, and namely: obtain confirmation on the existence of Personal Data that concern you, including when not yet recorded, and obtain the communication thereof in intelligible form, and obtain the following information:
1. the purposes and methods of Processing of your Personal Data (including the existence of an automated decision-making process, including profiling as per Article 22, paragraphs 1 and 4 of the GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject), the categories of your Personal Data processed, the origin of your Personal Data, the period of retention of your Personal Data (where possible) or the criteria used to determine such period;
2. the identification details of the data controller, the processors, and the supervisor appointed under Article 5, paragraph 2, e) of the GDPR and in general of all the parties or categories of parties to whom your Personal Data have been or shall be communicated within the Country, and in particular whether or not there are third-Country recipients or international organisations involved (and, in such case, you shall also have the right to be informed on the existence of adequate guarantees under Article 46 of the GDPR with respect to the transfer of Personal Data);
3. the existence of your right, as Data Subject, to request from the data controller rectification or restriction of processing of personal data concerning you, or to object to such processing;
4. the right to lodge a complaint with the Privacy Supervisory Authority for the protection of your Personal Data (the “Privacy Supervisory Authority”);
b) the “right to rectification” as per Article 16 of the GDPR: the right to request the rectification or, where in your interest, to obtain completion of your Personal Data;
c) the “right to erasure”(right to be forgotten) as per Article 17 of the GDPR: the right to obtain the erasure, anonymisation, or blocking of data processed in violation of the law, including data which storage is not required with respect to the purposes for which your Data was collected or subsequently processed;
d) the “right to restriction of processing” as per Article 18 of the GDPR: the right to obtain restriction of processing in some of the cases provided for in the Privacy Law;
e) the right to request the Data Controller, under Article 19 of the GDPR, indication of the recipients to whom the Data Controller has disclosed any rectifications or cancellations or restrictions of processing (carried out under Articles 16, 17, and 18 of the GDPR, in compliance with the notification obligation, unless this proves impossible or involves a disproportionate effort);
f) the “right to data portability” as per Article 20 of the GDPR: the right to receive your Data (or transmit those Data to another controller) in a structured, commonly used and machine-readable format;
g) the “right to object” as per Article 21 of the GDPR: the right to object, in whole or in part,
1. on legitimate grounds, to the processing of your Personal Data, including where pertinent to the purpose for which they were collected;
2. to the processing of your Personal Data for the purpose of sending advertisement material or direct sale or to perform market surveys or for the purpose of marketing communication.
In the cases above, where necessary, the Data Controller shall inform the third parties to whom your Personal Data have been communicated of the exercise of your rights, except for specific cases (e.g., when such obligation proves to be impossible or involves a use of means that is manifestly disproportionate to the right being protected).
9. EXERCISING YOUR RIGHTS AND LODGING A COMPLAINT WITH THE PRIVACY SUPERVISORY AUTHORITY
You may exercise your rights at any time in the following manners:
a) by sending a registered letter with proof of receipt to the address of the Data Controller at Via Borgazzi 27, 20900, Monza;
b) by sending an e-mail to firstname.lastname@example.org;
c) by calling the number 039/2396;
We wish to inform you that under the Privacy Laws you have the right to lodge a complaint to the Privacy Supervisory Authority. To lodge such complaint, you may either hand the complaint in person to the offices of the Privacy Supervisory Authority (at the address indicated below) or send:
a) a registered letter with proof of receipt addressed to: Garante per la protezione dei dati personali”, Piazza di Monte Citorio, 121 00186 Roma:
b) an e-mail to email@example.com;
c) a fax to 06-696773785.
For more information, please visit the web page of the Privacy Supervisory Authority: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524
10. DATA CONTROLLER, DATA PROCESSOR AND DATA PROTECTION OFFICER
The Data Controller is SOL SpA with registered offices at Monza, Via Borgazzi, n. 27 , and VAT Code 00771260965 registered with the Company Register of Iscrizione R.E.A. di Monza e Brianza n. 991655
The Processor SOL SpA with registered offices at Monza, Via Borgazzi, n. 27 , and VAT Code 00771260965 registered with the Company Register of Iscrizione R.E.A. di Monza e Brianza n. 991655.
An updated list of any additional data Processors (to whom your Personal Data are disclosed, and who are duly appointed in writing), is available at the Company’s registered offices.
The Company exercised its right to appoint a DPO. The DPO is SOL SpA with registered offices at Monza, Via Borgazzi, n. 27 , and VAT Code 00771260965 registered with the Company Register of Iscrizione R.E.A. di Monza e Brianza n. 991655.
For any additional clarification or inquiry, you can contact the DPO, at: firstname.lastname@example.org.