INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLE 13 OF EU REGULATION 679/2016
FOREWORD
EU Regulation 679/2016 (hereinafter, for brevity, ‘GDPR’) aims to ensure that the processing of personal data is carried out with respect for the fundamental rights and freedoms and dignity of the data subject with reference to confidentiality and personal identity and the right to data protection.
The GDPR defines ‘processing’ as ‘any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’. Pursuant to and for the purposes of the GDPR, DS Group S.p.A., with registered office in Corso Venezia 36 – 20121 – Milan (MI) (hereinafter, for brevity, the ‘Data Controller’), informs you that it will process the data of your Company and/or of the employees, legal representatives and collaborators of your Company (‘Data Subjects’), with whom it comes into contact during the course of the execution of the business relationship existing between the parties (‘Data’), for the purposes indicated below.
The Data Controller acknowledges that it has appointed a Data Protection Officer (‘DPO’) who can be contacted at dpo@dsgroup.it.
1. TYPE OF DATA PROCESSED AND THEIR ORIGIN. PURPOSE AND LEGAL BASIS OF THE PROCESSING:
The Controller may process Data Subjects’ Data (such as personal and contact data), collected directly from the same, or provided by your Company, for the following purposes:
a. for the performance of its contractual obligations and for defensive purposes in the event of litigation or pre-litigation, pursuant to Article 6.1(b) and (f) of the GDPR;
b. for the fulfilment of related legal obligations, pursuant to Article 6.1(c) of the GDPR;
c. for the purpose of sending, by email, promotional communications on products and services similar to those that may have already been purchased from your Company, pursuant to Article 6.1, letter f) of the GDPR, unless the Data Subject exercises his/her right to object to the processing of data for such purposes, in the manner indicated in this notice and/or contained at the bottom of the email.
2. NATURE OF THE CONFERMENT AND CONSEQUENCES OF A POSSIBLE REFUSAL
The provision of Data for the purposes set out in letters a) and b) is mandatory, as it is strictly necessary for the Controller to fulfil its contractual obligations towards the company for which the data subject works. Any refusal to do so would therefore jeopardise its proper performance.
The provision of Data for the purpose referred to in letter c) is optional. Therefore, any refusal to such processing would have no consequence on the performance of the business relationship.
3. DATA PROCESSING METHODS AND CATEGORIES OF SUBJECTS TO WHOM THE DATA MAY BE COMMUNICATED
The Data will be processed using manual, computerised and telematic tools, with logic strictly related to the purposes outlined above and, in any case, by parties authorised to carry out such tasks, suitably aware of the constraints imposed by the GDPR, and equipped with security measures to ensure the confidentiality of personal data and to prevent undue access by third parties or unauthorised personnel.
The Data may be communicated, to the extent strictly necessary for the purposes pursued, to companies that may be entrusted with specific processing operations, to firms of accountants and consultants in charge of bookkeeping, to banks, to third-party entities or associations with which the Data Controller collaborates, which will operate, respectively, as data processors pursuant to Article 28 GDPR or as autonomous data controllers. These entities will only come into possession of the personal data necessary for the performance of their functions and may only use them in order to perform such services on behalf of the Controller or to comply with legal requirements. The Data may also be communicated to the police, to judicial authorities, and to subjects who can access them by virtue of legal provisions or secondary or EU regulations.
4. DURATION OF DATA PROCESSING AND STORAGE
For the purposes under letters a) and b), the Data shall be processed and kept, also by automated means, for the time strictly necessary for the execution of the business relationship with your Company, after which it shall be kept only in compliance with the relevant legal obligations and/or for defensive purposes.
For the purpose under letter c), the Data will be processed and kept for the period of 24 months from the collection of the Data.
5. RIGHTS OF THE DATA SUBJECT
Pursuant to Art. 15 et seq. of the GDPR, each data subject has the right, at any time and free of charge, to request information regarding the processing of Data, the period of storage of the same, to obtain a copy thereof, to rectify, supplement or update and/or erase it.
The interested party has the right to obtain the restriction of the processing of the Data and to receive a copy in a commonly used, machine-readable format.
In order to exercise these rights, he/she may send a communication to the Data Controller at the address indicated in the header of the page by registered letter with return receipt or by e-mail to the address: privacy@dsgroup.it or by contacting the Data Protection Officer at dpo@dsgroup.it. If the data subject considers that his or her rights under the Law have been violated by the Controller and/or a third party, he or she has the right to lodge a complaint with the Personal Data Protection Authority and/or another competent supervisory authority.