Pursuant to the combined provisions of Italian Legislative Decree No. 196 of 30 June 2003 ‘Personal Data Protection Code’ (Privacy Act) and Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as ‘GDPR’)
1. the GDPR, published in the Official Journal of the European Union (OJ) L 119, 4 May 2016, entered into force on 25 May 2016 pursuant to Article 99 and is directly applicable in all Member States from 25 May 2018;
2. until measures are introduced aimed at aligning the national regulatory framework with the provisions of EU Regulation No. 679/2016 (GDPR), application of the Privacy Code (Italian Legislative Decree No. 196/2003) is also required to the extent that it is not incompatible with the provisions of the GDPR;
3. without prejudice to what is already provided for and regulated by Italian Legislative Decree No. 196/2003, the GDPR – with the exceptions provided for in Article 2 – applies to the processing of personal data wholly or partially by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system;
4. pursuant to Article 5 of the GDPR (‘Principles relating to processing of personal data’), the personal data of the data subject shall be processed according to principles of:
• lawfulness, i.e in compliance with the rules; fairness, i.e. in compliance with uncodified ethical rules; and transparency towards the data subject, i.e. guarantee of data subject’s awareness, data traceability and data disclosure at any time on request by the data subject (point (a));
• ‘purpose limitation’ i.e. shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (point (b));
• ‘data minimisation’, i.e. shall be collected in an adequate and relevant way, limited to what is necessary in relation to the purposes for which they are processed (point (c));
• ‘accuracy’, i.e. shall be collected in an accurate way and, where necessary, kept up to date, erased or rectified if they are inaccurate (point (d));
• ‘storage limitation’, i.e. shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (point (e));
• ‘integrity and confidentiality’, i.e. shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (point (f));
5. in particular, processing shall be ‘lawful’ if and to the extent that, pursuant to Art. 6 of the GDPR (‘Lawfulness of processing’) at least one of the following applies:
• the data subject has given consent to the processing of his or her personal data for one or more specific purposes (point (a));
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (point (b));
• processing is necessary for compliance with a legal obligation to which the Data Controller is subject (point (c));
• processing is necessary in order to protect the vital interests of the data subject or of another natural person (point (d));
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (point (e));
• processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (point (f)).
all of the above being stated, in compliance with the provisions of Article 13 (‘Information to be provided where personal data are collected from the data subject’ ”) – Section 2 (‘Information and access to personal data’) of the GDPR, and with the provisions of Article 13 (‘Information to data subjects’) of Italian Legislative Decree No. 196/2003
that I have received the following information
Identification of the ‘Data Controller’:
(see definition of ‘Data Controller’ in Article 4(7) ‘Definitions’ of the GDPR: ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’ and definition of ‘Data Controller’ in Article 4(f) ‘Definitions’ of Italian Legislative Decree No. 196/2003: ‘the natural or legal person, public administration, body, association or other entity which, alone or jointly with others, determines the purposes and means of the processing of personal data and the relevant means, including security matters’):
Data Controller is company VTENEXT SRL (Tax Id and VAT No. 09869110966), represented by its legal representative pro tempore, based in Viale Fulvio Testi 223, Milan, Italy- Tel. (+39) 02 – 37901352; email firstname.lastname@example.org; certified email: email@example.com
Subject matter and modalities of processing:
(see definition of ‘Processing’ in Art. 4 ‘Definitions’ of the GDPR: ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ and definition of ‘Processing’ in Art. 4(a) of Italian Legislative Decree no. 196/2003: ‘any operation or set of operations carried out, whether or not by electronic or automated means, for the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data, whether the latter are contained or not in a data bank’, see definition of ‘Personal Data’ in Art. 4(1) ‘Definitions’ of the GDPR: ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’; and definition of ‘Personal Data” in Art. 4(b) of Italian Legislative Decree No. 196/22003: ‘any information relating to natural or legal persons, bodies or associations that are or can be identified, even indirectly, by reference to any other information including a personal identification number’;
The Data Controller shall process the identifiable personal data provided by the data subject.
Processing of personal data is performed by means of the operations described in Article 4(2) of the GDPR and in Article 4(a) of Italian Legislative Decree No. 196/2003: collection, whether or not by electronic and automated means; recording for specified, explicit and legitimate purposes and further processing in a manner that is compatible with those purposes; organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, restriction, dissemination, erasure or destruction.
The personal data shall be processed, whether or not by paper, electronic or automated means, in a manner that ensures their security and confidentiality.
The Data Controller shall process the personal data for the amount of time required for fulfilling the purposes described above, taking care that they are kept as specified.
Purpose of personal data processing:
We collect and process personal data:
a) without explicit consent (see Article 24 of Italian Legislative Decree No. 196/2003 and Article 6 of the GDPR) for the following purposes:
• in order to enter into contracts for the provision of Data Controller’s services
• in order to perform pre-contractual, contractual and tax-related obligations resulting from a contract to which the data subject is a part;
• in order to comply with obligations laid down by laws, regulations, community norms or Authority orders;
• in order to prevent or discover frauds or other forms of misuse that may cause damage the website;
• in order to establish, exercise or defend the Data Controller’s rights, for example in legal proceedings.
b) with the data subject’s previous specific consent (see Article 7 of the GDPR) for the following marketing purposes:
• sending by email, regular mail and/or SMS or telephone newsletters, marketing communications and/or advertising material relating to the products or services offered by the Data Controller, measuring the level of satisfaction with the quality of the services offered, specifying that, if the data subject is already our customer, we may send marketing communications referring to services and products similar to those already used by the data subject, without prejudice to the data subject’s right to object (see Article 21 of the GDPR);
• sending by email, regular mail, SMS and/or telephone marketing and/or promotional communications by third parties (for example business partners, insurance companies, etc.);
Clarifications regarding the processing for ‘marketing purposes’ and ‘profiling purposes’
In the interest of the data subject, the following is clarified:
A. Personal data will also be collected for the purpose of marketing promotions and advertising communications, soliciting purchasing behaviours, carrying out market research, surveys (telephone, online and/or using questionnaires), statistical analyses (identifying the data subjects) and other market research in a broader sense with reference to products and/or services provided by the Company (hereinafter referred to as ‘processing for marketing purposes’ using both ‘generic’ and ‘profiled’ marketing activities (see definition of ‘profiling’ in Article (4) ‘Definitions’: ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person […]’) and consisting in the collection of data including, for example, customers’ personal information, their address and email address, job, marketing communication preferences, registration of their purchases, implementation of targeted marketing campaigns, delivery of customized services and additional benefits for all those who are entered in a dedicated Custom Relation Management (CRM) system;
B. For the sake of maximum transparency and to make sure the data subject gives a conscious, informed consent, we herewith specify that registration to the website is a prerequisite for downloading the DEMO version of the VTENEXT software and entitles users to receive promotional or advertising communications from the Data Controller. Therefore users’ personal data will also be used for marketing and ‘profiling’ purposes, where specific consent was given. Consequently, users wishing to register with the website must necessarily give their consent to their personal data being processed by the Data Controller for the afore-mentioned ‘marketing purposes’.
C. Users who do not wish to give their consent to the ‘processing for marketing purposes’ must (and may) not register with the website, nor download the DEMO version of the VTENEXT software, but may nonetheless browse the website and view its contents as non-registered users.
D. Non-registered users are free to access and browse the website, but must be registered in order to receive marketing communications. To register, users must fill in an online form and provide certain personal data required for activating the authentication credentials (login & password) to access the functions made available to registered users and manage (edit or revoke) receipt of marketing communications. Further primary purposes of the processing are represented by the need to complete the required procedures for on-line registration and account creation, as well as the need to allow site managers to generate accounts and subsequently manage all technical and administrative aspects (and also provide technical support and assistance where needed), Client IDs, activation codes, passwords and similar authentication credentials created by the user during registration.
E. By consenting to the ‘processing for marketing purposes’ and for ‘profiling purposes’ the data subject specifically accepts that his or her personal data will be processed for promotional, business and marketing purposes – in a broad sense – and also for the performance of all subsequent management and administrative activities, and expressly acknowledges that such processing will take place by telephone via operators, by other non-electronic, non-telematic means and by other means not supported by automatic, electronic or telematic mechanisms and/or procedures, as well as by email, fax, SMS, MMS, automatic systems without operator intervention and similar means, including electronic platforms and other telematic means, and in compliance with Article 6(1)(a) of the GDPR. By giving optional consent, the data subject specifically acknowledges and accepts such processing and/or processing for similar purposes.
F. In any case, even if the data subject has given his or her consent, he or she will always be free to revoke it by editing the consent settings in the ‘Communication and Privacy’ section of the website. Upon receipt of the opt-out request, the Data Controller will promptly remove and erase from the databases the personal data used for ‘processing for marketing purposes” and for “profiling purposes’ and will require any third party to whom the personal data was transmitted to delete such data.
G. If the data subject is asked to provide his or her telephone number for the purposes illustrated above, and his or her specific, optional consent (which also covers the processing of this personal data) for the promotional, marketing and profiling purposes described above, the Data Controller shall inform the data subject that it is legally authorized to use the telephone number for marketing and profiling purposes even if the number is listed in the national Do Not Call List (Registro Pubblico delle Opposizioni), as it is obtained from sources other than public telephone directories and is covered by specific consent, without prejudice to the data subject’s right to object to the processing by formally revoking his/her consent.
H. Pursuant to Article 21 of the GDPR, the data subject shall have the right to object to the processing of personal data concerning him or her for such marketing or profiling purposes, and where the data subject objects to the processing for direct marketing and profiling purposes, the personal data shall no longer be processed for such purposes.
I. The Data Controller herewith informs the data subject that his or her personal data may also be communicated to third-party business partners. Consent to ‘processing for marketing purposes’ and for ‘profiling purposes’ – where provided by the data subject – does not apply to processing for other marketing purposes, i.e. communication of the data to third parties for the same purposes. To communicate the personal data to third parties, the Data Controller needs an additional, separate, documented, explicit – and totally optional – informed consent by the data subject.
J. Personal data subject to ‘processing for marketing purposes’ shall not be disclosed. Personal data subject to ‘profiling’ shall neither be communicated to third parties nor disclosed.
Recipients and/or categories of recipients of the personal data
(see definition of ‘recipient’ in Article 9 (4) ‘Definitions’: ‘a natural or legal person, public authority – excluding those who receive personal data which are necessary to carry out a particular inquiry – agency or other body, to which the personal data are disclosed, whether a third party or not’).
Personal data may be communicated to: employees and/or co-workers of VTENEXT SRL, who, in turn, may process them, always and in all cases in full compliance with the principles governing the processing and within the limits and for the purposes herein described; companies/professional firms that work with or provide assistance and consultancy to the Data Controller on accounting, administrative, tax, legal and financial matters; public administrations for the performance of institutional functions within the limits established by law or by regulations; and third-party service providers that require the personal data for the provision of contractual services. Personal data will not be disclosed. Furthermore, without the need for explicit consent, the Data Controller may communicate the personal data of the data subject for the purposes referred to in point (a) of paragraph ‘Purposes of the processing for which the personal data are intended’ to oversight bodies, judicial authorities and all other entities to which the personal data must be disclosed by law for fulfilment of the above-mentioned purposes.
Transfer of personal data:
The personal data will be stored and managed on servers located in the European Union and belonging to the Data Controller and/or to third parties appointed as Data Processors. The reference provider is currently Aruba, whose servers are located in the European Union. The personal data shall not be transferred outside the European Union. It is understood that, if necessary, the Data Controller shall be entitled to move the server within the territory of Italy and/or European Union and/or non-EU countries. The Data Controller guarantees that the transfer of personal data to non-EU countries will take place in compliance with applicable laws, if necessary by entering into agreements that guarantee adequate levels of protection and/or by adopting standard contractual clauses provided by the European Commission.
Period for which the personal data will be stored:
The personal data shall be stored for the period of time strictly necessary for achieving the purposes underlying their processing and/or until the data subject explicitly revokes his or her specific consent. In any case they shall not be stored for more than 10 (ten) years from termination of the service and/or product provision relationship.
Rights of the data subject:
Pursuant to Art. 7 of Italian Legislative Decree No. 196/2003 and the GDPR, the data subject may exercise the following rights:
• obtain from the Data Controller access to his or her personal data and obtain confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the necessary information governed by Article 15 ‘Right of access by the data subject’ of the GDPR and Section 7(1) of Italian Legislative Decree No. 196/2003;
• obtain from the Data Controller the rectification of inaccurate personal data concerning him or her. The data subject shall also have the right to have incomplete personal data completed, as provided for in Article 16 ‘Right to rectification’ of the GDPR and Section 7(3)(a) of Italian Legislative Decree No. 196/2003;
• obtain from the Data Controller the erasure of personal data concerning him or her where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (point (a)); where the data subject withdraws consent and where there is no other legal ground for the processing (point (b)); the data subject has objected to processing pursuant to Article 21(1) or (2) and the Data Controller no longer needs the personal data for the purposes of the processing (point (c)); where the processing is not lawful (point (d)); where erasure of personal data constitutes compliance with a legal obligation to which the Data Controller is subject (point (e)); where Article 8(1)(f) applies, as governed in detail by Article 17 ‘Right to erasure (‘right to be forgotten’) of the GDPR and Section 7(3)(b) of Italian Legislative Decree No. 196/2003;
• obtain from the Data Controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject (for a period enabling the Data Controller to verify the accuracy of the personal data – (point (a)); the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead (point (b)); the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims (point (c)); the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Data Controller override those of the data subject (point (d)), as governed in detail by Article 18 ‘Right to restriction of processing’;
• pursuant to Article 6(1)(e) and (f), the data subject shall have the right to oppose the processing of his or her personal data at any time for reasons related to his or her particular situation, including the profiling pursuant to the same provisions, and the processing for marketing purposes, including, in this case, profiling to the extent that it is related to such direct marketing. All this is governed in detail by Article 21 ‘Right to object’ of the GDPR and Section 7(4)(a) and (b) of Italian Legislative Decree No. 196/2003;
• obtain data portability pursuant to Article 20 ‘Right to data portability’;
• withdraw his or her consent to the processing of his or her personal data at any time, without the withdrawal of consent affecting the lawfulness of processing based on consent before its withdrawal. All this is governed in detail by Article 7 ‘Conditions for consent’.
• lodge a complaint with an authority supervising implementation of the GDPR in order to protect the rights and fundamental freedoms of natural persons with regard to the processing of personal data. All this is governed in detail by Article 51 and following Articles. ‘Supervisory authority’;
Freedom to provide one’s personal data
The user shall be free to provide his or her personal data, aware that failure to do so will result in the impossibility to receive the service required.
Exercise by data subjects of their rights:
Data subjects may exercise their rights by sending an email to firstname.lastname@example.org or writing to VTENEXT SRL (Tax Id and VAT No. 09869110966), represented by its legal representative pro-tempore, based in Viale Fulvio Testi 223, Milan, Italy.
Data Controller and Processor:
Data Controller and Processor is:
VTENEXT SRL (Tax Id and VAT No. 09869110966), represented by its legal representative pro tempore, based in Viale Fulvio Testi 223, Milan, Italy- Tel. (+39) 02 – 37901352; email email@example.com; certified email: firstname.lastname@example.org