Purpose of processing
The processing of the personal data provided is aimed solely at:
• execution of the contract;
• fulfilment of legal obligations related to the contractual relationship;
• management of the contract, e.g. relations with agents, representatives, principals and/or contractors;
• any external professional collaboration for the fulfilment of legal obligations;
• protection of contractual rights;
• internal statistical analysis;
• subject to your specific consent, marketing activities through the sending of promotional and advertising material concerning products or services similar to those covered by the existing business relationship;
• subject to your specific consent, for “profiling activities”; understood as “any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person” (art.4 GDPR)
The data processed by Exi S.p.A. fall into the following types:
1. Common personal data
Personal data (such as, for example, name, surname, date of birth, address, telephone number);
2. Navigation data and Cookies
Personal data will be processed in paper, computer and telematic form and entered into the relevant databases which can be accessed by those responsible for data processing.
EXI S.p.A. will take care of the data received:
• the exact registration, so that they correspond to what you have declared;
• updating any communication and variation provided by you;
• storage in a form that allows your identification for a period of time not exceeding that necessary for the purposes for which the data were collected.
Your data may be used
• by EXi S.p.A.’s staff who have been assigned a specific role as data processors, who have been given adequate instructions and who are bound by confidentiality obligations, with the use of security measures aimed at ensuring the protection of your confidentiality and avoiding the risks of loss or destruction, unauthorised access, unauthorised processing or processing that is not in accordance with the purposes mentioned above;
• by persons authorised to perform such tasks who have been duly trained and informed by EXI S.p.A. and who provide specific processing, administrative or instrumental services necessary for achieving the above purposes.
All data processing operations are carried out in such a way as to guarantee the integrity, confidentiality and availability of your personal data.
Your personal data will not be published, displayed or made available and/or consulted by unspecified parties.
Your data may be communicated to the competent authorities, according to the terms of the law.
In the event of your explicit consent in relation to the purposes described above (marketing and profiling), your personal data will be made visible and stored in a single computer archive for the management of customer relations. Your personal data may be used by third party companies which, as Data Processors, carry out activities on behalf of EXI S.p.A.. It is possible to obtain an updated list of the External Processors appointed by EXI S.p.A. by sending a request to the e-mail address email@example.com.
Period of data retention
The data will be stored for the period of time strictly necessary to achieve the purposes concretely pursued and, in any case, the criterion used to determine the storage period is based on compliance with the terms permitted by applicable laws and the principles of minimising processing, limiting storage and rational management of archives.
Following the indications of the times and criteria for the storage of your personal data:
• Marketing purposes: 24 months from collection, without prejudice to the possibility of modifying and/or revoking your will at any time.
• Profiling purposes: 12 months after collection, without prejudice to the possibility of modifying and/or revoking your consent at any time.
We also inform you that, pursuant to Articles 5 and 89.1 of the Regulation, your personal data may be stored for longer periods of time than those specified in the previous paragraph for statistical purposes only, without prejudice to the implementation of appropriate technical and organisational measures required by law to protect your rights and freedoms.
Rights under articles 15, 16, 17 18, 20, 21 and 22 of EU REG. 2016/679
We inform you that as a data subject you have in addition to the right to lodge a complaint with the Supervisory Authority, the rights listed below, which you may assert by addressing a specific request to the Data Controller and/or the Data Processor, as indicated in point 1.
Art. 15 – Right of access: you may request confirmation as to whether or not data relating to you is being processed, as well as further clarification of the information referred to in this Policy;
Art. 16 – Right of rectification: you may request to rectify or supplement the data you have provided to us, if inaccurate;
Art. 17 – Right to erasure (right to be forgotten): you can ask for your data to be erased, if: they are no longer necessary for our purposes, in case of revocation of consent or your objection to processing, in case of unlawful processing, or there is a legal obligation to erase or relate to persons under sixteen years of age; revocation: you can revoke your consent at any time, if this constitutes the basis of processing. Revocation of consent, however, does not affect the lawfulness of processing based on the consent given before revocation.
Art. 18 – Right to restriction of processing: you may request that your data be processed only for storage purposes, to the exclusion of other processing, for the period necessary to rectify your data, in the event of unlawful processing for which you object to its deletion, if you need to exercise your rights in a court of law and the data stored by us may be useful to you and, finally, in the event of objection to processing if a check is being made as to whether our legitimate reasons prevail over yours;
Art. 20 – Right to data portability: you may request to receive your data, or have it transmitted to another data controller indicated by you, in a structured, commonly used and machine-readable format;
Art. 21 – Right to object: you may object at any time to the processing of your data, unless there are legitimate reasons for processing which override your own, for example for the exercise of our rights or our defence in court;
Art. 22 – Right not to be subject to automated decision-making, including profiling
You may ask to exercise the above-mentioned rights at any time by contacting EXI S.p.A. at the following e-mail address: firstname.lastname@example.org.; EXI S.p.a. will handle your requests within the terms provided for by the GDPR.
In addition, we inform you that you are entitled to lodge a complaint with the Italian Data Protection Authority: “Garante per la Protezione dei Dati Personali” in case you believe that your rights have been violated by EXI S.p.A. and/or by a third party or in case you do not consider EXI S.p.A.’s reply to your requests as satisfactory.