Almo Nature UK, LTD38 Craven Street, London;WC2N 5NG, United Kingdom,asController of the processing of personal data (the “Controller”) in accordance with Articles 4(7) and 26 of EU Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data (the “EU Regulation”), informs you in accordance with Article 13 of the [Italian Data Protection] Code and of the EU Regulation that it isthe Joint Controller of your personal data and will process them for the purposes and in the manner indicated below.
Processing of personal data means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
We inform you that this data will be processed manually and/or with the support of computer or electronic means for the following purposes.
A. Purpose of the processing of personal data and legal basis
A.1 Purposes connected with the management of the contractualrelationship
First of all, the processing of personal data requested is for the properand complete establishment and performance of the existing contractual relationship, and more specifically to effectively manage the contractual relationship and to fulfil the legal and contractual obligations arising from it.
A.2 Purpose of fulfilling obligations provided for by law, regulations or EU regulations.
Secondly, personal data will also be processed to fulfil obligations under the law, a regulation or EU legislation and for regulatory, accounting and tax purposes.
A.3 Purposes of advertising and promotional communication.
Third, personal data will be processed to allow the sending of business communications by electronic mail on products similar to those that have already been the subject of a business relationship between the data subject and the Joint Controllers.
A.4 Legal basis
The processing of personal data for the purposes set out in points A.1 and A.2 above is necessary, under Article 6 of the EU Regulation, to perform an obligation under the law, a regulation or an EU Regulation, or because the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into the contract or – finally – because the processing of data is for administrative and accounting purposes.
The processing of personal data for the purposes referred to in point A3. is based on a legitimate interest on the part of the Joint Controllers to strengthen the commercial relationship with the data subject and without prejudice, in any event, to the right of the data subject to object at any time to the processing, easily and free of charge.
B. Disclosure and dissemination of personal data for the primary purposes of processing.
In accordance with Article 13(1)(e) of the EU Regulation, we set out below the recipients or categories of recipients who may become aware of the user’s personal data in their capacity as processors or persons in charge of processing and set forth below is a list by category:
- the Controller’s staff in charge of administrative and accounting management and marketing activities;
- those appointed to maintain and/or repair information technology tools;
- those in charge of surveys and the provision of services;
- Employment consultants and/or accounting firms, in their capacity as processors;
- network of agents of the Joint Controllers;
- contractorsand employees of the companies belonging to the Almo Nature group;
- factoring companies;
- credit institutions;
- debt collection companies;
- credit insurance companies;
- commercial information companies;
- the Controller’s professionals and consultants;
- companies operating in the transport sector.
Moreover, for the purposes indicated in point A), the data may be disclosed to any other third party when disclosure is required by law or the contract.
The personal data of the users will not be disseminated.
B1. Mandatory or optional consent for the primary purposes of the processing of personal data.
In all the cases set out above in paragraphs A and B (for cases of disclosure to third parties) – and on the basis of the applicable rules of the EU Regulation – the provision of personal data is strictly necessary in order to carry out the activities referred to in point A1. and A2.
Failure to provide all or some of the data referred to in points A1. and A2. above, could make it impossible for the Controller to carry out the contract or to correctly carry out all its obligations, such as those relating to remuneration, tax and insurance, related to the contractual relationship.
C. Period for which data will be stored and other information.
In compliance with the principles of lawfulness, purpose limitation and data minimisation, under Article 5 of EU Regulation No. 2016/679, personal data will be storedfor the period of time necessary to achieve the purposes for which they are collected and processed according to the criteria specified below under Article13(2)(a)of the EU Regulation:
- For the purposes of A1. and A2. above: 10 years from the last delivery of the products;
- For the purposes of A3 above: 10 years or less if the data subject objects to the processing.
D. Data transfer
Under Article13(1)(f) of the EU Regulation, the personal data collected will be processed electronically by the provider Mailjet; the relatedinformation on Privacy can be found on the site https://www.mailjet.com/privacy-policy/. In this context, the data will be processed and stored within the European Union.
The data will also be processed by Oracle software; the relevant information on Privacy can be found at https://www.oracle.com/it/legal/privacy/privacy-policy.html.
In this context, personal data will be transferred to the United States. As Oracle is certified in accordance with the “Privacy Shield”, the transfer outside the European Union is authorised, in accordance withArticle 45 of EU Regulation No. 2016/679, on the basis of the adequacy decision of the European Commission 2016/1250 of 12 July 2016.
The data will also be stored in the Amazon web services cloud; the relevant information on Privacy can be found at https://aws.amazon.com/compliance/gdpr-center/?nc1=h_ls.
In this context, personal data will be transferred to the United States. As Amazon Web Services is certified in accordance with the “Privacy Shield”, the transfer outside the European Union is authorised, in accordance withArticle 45 of EU Regulation No. 2016/679, on the basis of the adequacy decision of the European Commission 2016/1250 of 12 July 2016.
E. Automated decision making, including profiling
The Controller does not carry out any automated decision making, including profiling, under Article 22(1) and (4) of EU Regulation No. 679/2016.
F. Objection to processing for promotional and marketing purposes
The data subject can object at any timetoprocessing for the purposes set out in A.3 above by simply sending a clear e-mail to that effect to: email@example.com. Following receipt of this opt-out request, the Controller will promptly remove and erase the data from the databases used for these purposes and inform any third parties to whom the data have been disclosed for the same purposes of erasure. The receipt of the erasure request will automatically be considered as confirmation of the erasure.
You are specifically informed, as required by Article 21 of the GDPR that if the personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her carried out for such purposes and that if the data subject objects to the processing for direct marketing purposes, personal data may no longer be processed for such purposes.
G. Method of processing
The processing of data for the purposes set out above takes place using both automated methods, on electronic or magnetic media, and non-automated methods, on paper, in compliance with the rules of confidentiality and security laid down by law, by consequent regulations and by internal regulations.
The data will be processed by the recipients authorised to perform the tasks referred to in point A, who will always be identified, properly instructed and made aware of the security obligations under the EU Regulation as well as prepared by Controller.
H. Joint Controllers and Processors.
The identification details of the Controllerare as follows:
- BAKER TILLY
MANAGEMENTLIMITED – THE
PORTLAND BUILDING 25 HIGH
STREET CRAWLEY WEST SUSSEX
- Almo NatureSpa
Piazza Giustiniani 6
Genova (Italia), 6
The point of contact to exercise the rights under Article 7 of the Privacy Code and Article 26 of EU Regulation2016/679 isAlmo Nature S.p.A., firstname.lastname@example.org
The identification details of the Processers
13-13 bis, Rue de l’Aubrac
75012 Paris, France
500 Oracle Parkway
Redwood Shores, CA
Tel: +1.650.506.7000Chief Privacy Officer, Oracle Corporation
10 Van de Graaff Drive
Burlington, MA 01803
- Amazon web services
The up to date list of the persons in charge of processing is available at the addresses set out above.
I. Exercise of the rights by the data subject.
In accordance with Articles 13(2)(b) and (d), 15, 18, 19 and 21 of the EU Regulation, the data subject has the right to:
- request confirmation as to whether or not their personal data exist;
- obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed and, where possible, the period for which the data will be stored;
- obtain the rectification and erasure of the data;
- restricttheprocessing or object to processing;
- obtain the portability of data, i.e. receive them from a Controller, in a structured, commonly used and machine-readable format, and transmit them to another Controller without hindrance;
- withdraw consent at any time without prejudice to the lawfulness of the processing based on consent given prior to the withdrawal;
- lodgea complaint to the Italian Data Protection Authority, following the procedures and instructions published on the official website of the Authority on garanteprivacy.it;
Any rectification, erasure or restriction of the processing carried out at the request of the data subject, unless this proves impossible or involves a disproportionate effort, will be disclosed by the Joint Controllers to each of the recipients to whom the personal data were transmitted. The Joint Controllers can provide the data subject with a list of such recipientsupon request.
The exercise of the rights is not subject to any form restriction and is free of charge and may be exercised by sending a registered letter with acknowledgement of receiptto the address [•] or an e-mail to email@example.com
Article 7 of the Privacy Code is reproduced in full below, while Articles 15 to 23 of the EU Regulation can be consulted at this link: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=FR