Information about processing of personal data
Within the meaning and for the purposes (i) of Legislative Decree of 30 June 2003, n. 196, the ‘Privacy Code’, (ii) of EU Regulation 2016/679 on the ‘protection of natural persons with regard to the processing of personal data, and on the free circulation of such data’, the “GDPR”, art.13 and 14, and (iii) of the Legislative Decree of 10 August 2018, n. 101 which the provisions for the adaptation of national legislation to the EU Regulation 679/2016, also jointly called ‘Privacy Policy’, some obligations are set forth upon the subjects carrying out the processing – intended as ‘the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ – of personal data referred to other subjects (The “Processing”).
CGM CIGIEMME S.P.A. headquartered in Via Adda, 21 – 20073 Opera, Milano (the ‘Company’) wish to inform you, in the following sections, about the modalities and purposes dealing with the processing of your personal data.
A) Data Controller and Data Protection Officer
The Data Controller is the person who determines the purposes for which and the manner in which personal data are to be processed (the ‘Data Controller’) and is identified in CGM CIGIEMME S.p.A.
The Data Controller may be contacted by e-mail at the following address Via Adda, 21 – 20073 Opera, Milano or at the following e-mail address: cgm@pec.cgm-cigiemme.it
Data Protection Officer is: Studio Cattaneo Dall’Olio Rho & Partners – Tax&Legal headquartered in Via D. Piccinini, 2 – 24122 Bergamo, email: privacy@cdr-taxlegal.it
B) Modalities to collect data from the Data Subject
The Data Controller may acquire your personal data under the following circumstances:
-
if you contact us through our website, by email or phone, to require information about our services and products;
- if you buy a product and/or a service carried out by our Company, including pre-contractual negotiations;
-
if you provide your data to receive direct marketing communications, newsletters and/or to be updated on the events organised and the marketing initiatives carried out by the Company;
-
if the commercial partners of the Data Processor transfer to the Controller your personal data lawfully;
-
if the Data Controller acquires your personal data from other sources in accordance with the applicable laws and the requirements under Art. 14 of the GDPR (i.e. public registers, directories, acts or documents available to whoever within the limits and under the conditions provided by law on their knowability).
C) Categories of data subject to Processing
Data processed by Data controller may include:
-
Data related to natural persons that are necessary to sign and perform a contractual/commercial relationship with a customer/supplier, such as those referred to the customers/suppliers themselves or those of the legal representative of the customers/suppliers signing the contract for and on behalf of the latter or of the company’s internal representatives of the customers/suppliers themselves (for ex. Name, surname, phone number, email, bank account), involved in the activities dealing with the main contractual/commercial relationship, as well as any other information necessary to perform the contractual/commercial relationship and/or provide services;
-
Information dealing with the modalities in which you use the company’s website, you open or send the communications received by the company, including the information collected by the means of cookies and other tracking technologies privacy policy;
-
Images of you collected with photos/videos realized during any event organized by the Company. (referred to also as “Data”).
D) Purposes and legal basis of the processing
Within the meaning of the Privacy Policy, the processing of personal data must be legitimised by one of the legal provisions provided by art 6 of the GDPR. These are specifically described for each purpose under which the Data Controller processes your data:
-
Management of the contractual relationship:
the Data Controller shall process your data to reply to your requests, and to fulfil the preliminary requirements for the conclusion of the contract.
Legal basis: processing is necessary for the performance of your contract or of the pre-contractual measures adopted upon your request (art. 6 par. 1 letter b of the GDPR).
Data storage policy: The data that we collect only for an estimate will be stored for a maximum period of five years. The data processed to perform the contract may be stored for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question.
-
Fulfilment of legally binding obligations:
The Controller processes your data to fulfil any private law, administrative, fiscal, accounting obligation provided by law, a Regulation, the European legislation or by an order of the Authorities deriving from the outstanding relationship with you;
Legal basis: processing is necessary for the performance of your contract (art. 6 par. 1 letter b of the GDPR) or to fulfil a legal obligation of the Controller (art. 6 par. 1 lett. c del GDPR).
Data storage policy: The Data may be stored for the period of time necessary to fulfil any legal obligation and, in any case, for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question.
-
Defend the case for the Data Controller’s rights:
if necessary, the Controller will provide all the information dealing with you to the Authorities and the bodies responsible for the enforcement of law, regulation or judicial documents, as well as to third parties into formal dispute. The Data Controller reserves the right to process your personal data to defend his or her rights deriving from the Contract before a judge, also for debt collection, directly or by third parties (debt collection agencies/companies), who will receive your data only for these purposes.
Legal basis: processing is necessary for the purposes of the legitimate interest pursued by the controller, in order to defend a right or make further demands on the outstanding commercial relationship, except where such interests are overridden by the interests or fundamental rights (art. 6 par. 1 letter f of the GDPR).
Data storage policy: your data may be stored for the necessary period of time in order to allow the Company to take actions or defend against eventual claims towards you or third parties.
-
Marketing activities:
The data collected for the selling of a product and/or service also through the company’s website may be processed to send you commercial/promotional communications – by automated means (such as email, sms or mms) and/or traditional (i.e. paper mail) related to services offered by the Company – and/or invitations to events organised by the Company, as well as for the realisation of market researches, statistical analyses or customer satisfaction collection. At any moment, you will be informed of the modalities to withdraw consent to processing, easily and free of charge. As for promotional purposes of the company, with your consent, the Controller will collect and publish your image on any means of communication, on the company’s website, on social medias or in the local, national or international newspapers as well as on any other means (existing or to be invented in the future).
Legal basis: you have given your consent as data subject of the processing (art. 6 par. 1 letter a of the GDPR).
Data storage policy: data collected for marketing purposes may be stored until you withdraw consent, except when any image of you has been published on our website, social medias or commercial brochures.
-
Promotional activities:
in order to promote the core business of the Company, the Controller shall collect personal data pertaining to you (carried out during promotional events) and would share your image on any means of communication, on the Company’s website, on social medias (for instance Facebook) or in the local, national or international newspapers as well as on any other means (existing or to be invented in the future), without any compensation.
Legal basis: you have given your consent as data subject of the processing (art. 6 par. 1 letter a of the GDPR).
Data storage policy: data concerning your image will be stored in the controller’s database for twenty-four months. Then, they will be erased, except where they have been shared on the internet, social medias or commercial brochures. You can withdraw consent to the abovementioned processing at any time.
If the Controller intend to process your data for other purposes than those mentioned above, he or she is required to inform you of these other purposes before performing it.
E) Nature of consent to data processing
Consent to data processing for letter a), b), c) purposes is compulsory since it is required to perform legal and contractual obligations. Any refusal or successive withdrawal may determine the inability for the Controller to fulfil the outstanding contractual relationship.
Instead, consent to data processing for letters d) and e) is optional and the failure to give consent to the processing to those data will determine the inability to carry out the abovementioned activities.
F) Modalities to process Personal Data
Processing will be carried out by the Company in compliance with the security measures under art. 32 of the GDPR, through manual, information system and computerised tools specifically designed to store, manage and transmit them to pursue only the purposes for which the data were collected and, in any case, to guarantee their security and confidentiality, as well as in full compliance with the principles of fairness, lawfulness and transparency. No automated tools are used by the Controller to process data.
G) Communication of Data
Access may be granted to:
- Controller’s employees and associates in charge and/or internal Processors and/or system administrators;
-
External third parties carrying out on behalf of the controller outsourcing activities for purposes dealing with support, administrative, accounting, fiscal areas or for purposes related to supply relationship or legal protection;
-
Supervisory bodies, judicial authorities and all other subjects which by law require such communication in order to achieve these purposes.
H) Data transfer to a third country or an international organization
Personal data are to be processed within the European Union and stored on servers located in that area. Anyway, if necessary, the Data Controller will have the right to transmit such data to a third country or to an international organisation and / or to move the servers even outside the EU. In this case, the Data Controller ensures that the transfer of non-EU data will be carried out in accordance with the applicable legal provisions under art. 44 and following of the GDPR.
I) Data subject’s rights
The Company informs you that, pursuant to articles 15-22 of the GDPR, you, in relation to your personal data, as Data Subject may exercise specific rights at any time, by contacting the Data Controller, such as:
- Access to your personal data and information;
-
Without undue delay, rectification of incorrect personal data, as well as the integration of the incomplete data (with an integrative statement);
-
The erasure of your personal data if (i) data are no longer necessary in relation to the purposes for which they were collected, (ii) you withdraw consent on which the processing is based and there is no other legal ground for the processing; (iii) you objected to the processing pursuant to art. 21 of the GDPR, (iv) data have been unlawfully processed, or (v) the erasure is necessary to fulfil a legal obligation;
- Limitation to the processing of your personal Data as provided by art. 18 of the GDPR.
If the Processing is based on your consent or on the contract and this is carried out by automated means, you have the right to receive these Data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller unimpeded. This right is not applied if the Processing is necessary to perform a duty of public interest or is connected to the exercise of a public office of the Data Controller.
If you consider that the Processing breaches the Privacy Policy or the Controller has not fulfilled the abovementioned duties, pursuant to art. 77 of the GDPR you have the right to lodge a complaint with a supervisory authority of the Member State in which he or she resides or habitually works, or the State in which the supposed violation has occurred, without prejudice to any other administrative or judicial appeal, in case of a violation to the provisions of the abovementioned Regulation. This is without prejudice of any other administrative or judicial remedy.
If the Processing is based on your consent (art. 6 par. 1 lett. A of the GDPR), you have the right to withdraw consent, at any time, without prejudice to the lawfulness of the processing carried out upon you consent given before the revocation.
If you need further information on the processing of your personal data and to exercise the abovementioned rights, you can send a written request using the contacts provided in the ‘Data Controller’ section of this statement. If you request more information about your data, the data controller shall respond promptly – unless this proves impossible or involves a manifestly disproportionate effort compared with the right to be protected – and in any case no later than thirty days from the request. The data controller will justify any inability or delay in doing so to meet the request.
Last update: October 2021