PERSONAL DATA PROCESSING POLICY
Mistral SPA with registered office in Sassuolo, Via Via Regina Pacis, 84. and V.A.T. 02775870369 (hereinafter “Data Controller”), as Data Controller, informs you, pursuant to art. 13 D.Lgs. 196/2003 (hereinafter “Privacy Code”) and art. 13 EU Regulation n. 2016/679 (hereinafter “GDPR”) that your data will be handled in the following way and for the following purposes:
- Undergoing Processing
The Data Controller, in order to establish and manage the current business relation with you, handles your personal, identification, contact and tax data (such as name, surname, company name, address, phone number, e-mail address, bank and payment details, etc.).
- Purpose of the processing and legal basis
Your personal data are processed:
- Without your explicit consent (Article 24 of the Privacy Code and Article 6 of the GDPR) for the following service purposes:
- Perform the contracts for the Data Controller’s service
- Fulfill the pre-contractual, contractual and tax obligations arising from the relation
- Fulfill the obligations required by law, by regulation, by the Community legislation or by order of the Authorities
- Exercise the rights of the Data Controller, such as the right of defense in court;
Only with your specific and distinct consent (Article 23 and 130 of the Privacy Code and Article 7 of the GDPR), for the following marketing purposes:
- To send you – by e-mail, mail and/or text messages and/or telephone contacts, newsletters – commercial communications and/or advertising materials on products or services provided by the Data Controller and for the collection of the satisfaction level on the service quality;
- To send you – by e-mail, mail and/or text messages and/or telephone contacts – commercial and/or promotional communications of third parties (such as business partners, other group companies, etc.)
3. Nature of the Data provision and refusal consequences
Data provision for the purposes mentioned in point 2.a is mandatory. Without their provision, services cannot be guaranteed. Data provision for purposes mentioned in point 2.b is optional. You can therefore decide not to provide any data or subsequently deny the possibility of processing the data already provided for these purposes; in this case you won’t be entitled to receive newsletters, commercial communication and advertising material about the services and the products offered by the Data Controller. However, you will still be entitled to the services mentioned in point 2.a
- Data Processing
The processing of your personal data is carried out through the operations as indicated in art. 4 of the Privacy Code and art. 4 n.2 of GDPR, namely: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Your personal data are processed both on paper and by electronic and/or automated means. The data will be processed by appointed personnel and employees within their specific functions and according with the received instructions, always just to meet the specific purposes and thoroughly observing the principles of confidentiality and security required by the applicable rules.
5.Acces to Data
Your data can be accessed for the purposes as per point 2:
- By Data Controller’s employees and contractors, as data supervisors and/or system administrator;
- By third-parties companies or other entities (such as credit institutions, professional practices, consultants, insurance companies, etc.) who perform outsourced activities on behalf of the Data Controller, in their capacity as external processing managers.
6. Disclosure of Data
Without the need for an explicit consent (Article 24 of the Privacy Code and Article 6 of the GDPR), the Data Controller may communicate your data for the purposes, referred to in point 2.a, to Supervisory Bodies, Judicial Authorities and all the other subjects to whom the communication is mandatory by law for the accomplishment of the aforementioned purposes. Your data won’t be disseminated.
- Transfer Of Data
Your data won’t be transferred outside the EU. In any case it is understood that the Data Controller, if necessary, has the right to transfer data in the European Union and/or in non-EU countries. In this case, the Data Controller right now ensures that the data transfer outside EU will take place in accordance with local requirements and by making agreements, if necessary, to guarantee an adequate level of protection and/or implementing the standard contractual clauses provided by the European Commission and/or binding corporate rules.
All personal data provided will be processed according to the principles of lawfulness, correctness, relevance and proportionality, and only with the methods, including computer-based and telematic, strictly necessary to pursue the purposes above mentioned. In any case, personal data will be kept for a period not exceeding what is strictly necessary to achieve the purposes indicated. Personal data that do not need to be retained for the indicated purposes, will be deleted or converted into an anonymous form. Please note that the information systems, which are used to manage the collected information, are set up to minimize the use of personal data.
9.Rights of the Data Subject
As Data Subject, you have the rights as per art. 7 of the Privacy Code and art. 15 and ss. GDPR, and precisely the rights of:
- Obtaining from the Data Controller the confirmation as to whether or not your personal are being processed, and, where that is the case, obtaining the access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if recipients of third countries or international organizations; where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period; where the personal data are not collected from you, any available information as to their source; the existence of an automated decision-making process, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
- Obtaining from the Data Controller the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Obtaining from the Data Controller the erasure of your personal data without undue delay, where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) you withdraw consent, on which the processing is based, according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; (c) you object to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2); d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
- Obtaining from the Data Controller restriction of processing where one of the following applies: a) you contest the accuracy of the personal data, for a period enabling the controller to verify their accuracy; b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the assessment, exercise or defense of legal claims; d) you have objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Data Controller override yours.
- Receiving, in a format that is structured, of common use and machine-readable, your personal data which were provided to a data controller and transmitting this data to another data controller without impediments by the data controller who which they were provided when: a) the processing is based on a contract b) the processing is carried out by automated means. In exercising your right to data portability, you shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
- Opposing at any time, for reasons relating to their particular circumstances, to the processing of your personal data pursuant to Article 6 (1) (e) or (f), including profiling on the basis of these provisions. Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Having the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
- Having the right to lodge a complaint with a supervisory authority.
10.Procedure for the exercise of any right
You may exercise your rights at any time by sending an e-mail to the address firstname.lastname@example.org
11.Data Controller responsible and in charge
The controller is Mistral SPA with registered office in Sassuolo, Via Via Regina Pacis, 84. and V.A.T. 02775870369. The updated list of data controllers and data processors is kept at the registered office of the Data Controller.
Last Update: 24/05/2018