Pursuant to Articles 13 and 14 of the GDPR, we would like to inform you of the following about the processing of your personal data in connection with the current or pre-established contractual relationship between you and Clementoni S.p.A.
The Data Controller is CLEMENTONI S.p.A., whose registered offices are in Recanati, Zona industriale Fontenoce, VAT no. IT 00092380435, hereinafter referred to as “Data Controller” or “Clementoni”.
Types of data processed
- personal details (name and surname, tax code, VAT no. permanent address, etc.);
- contact information (telephone numbers, email);
- bank details (name of bank, current account number, etc.).
Purposes of the processing and legal basis for processing
The personal data listed above will be processed for the following purposes:
- managing administrative obligations in order to establish the contractual relationship;
- managing accounts (recording debit and/or credit accounting documents, collections/payments, etc.);
- fulfilling statutory and tax obligations;
- dispute management.
The provision of data for the processing activities under a) to c) is necessary for the proper performance of contractual obligations (Article 6, paragraph 1, letter b) GDPR) and for compliance with legal obligations under applicable statutory and tax laws (Article 6, paragraph 1, letter c) of the GDPR).
The provision of data for the processing activity under letter d) is necessary for the legitimate interest of the Data Controller in the event of any legal proceedings.
The aforesaid data processing is also permitted, for the same purposes, pursuant to Article 9, paragraph 2, b) and e) of the GDPR.
Any partial or total refusal to provide data will not allow the above-mentioned obligations to be performed, resulting in the failure to establish or continue the contractual relationship.
Data retention time
Personal data will be stored for a period of 10 years starting from the end of the last-established relationship, unless a longer term should be required for the protection of judicial and extra-judicial rights of the Data Controller.
After such period, the data will pseudonymised, separated into a DB and stored in encrypted form.
Data disclosure and scope of disclosure
In relation to the aforementioned purposes, and within the limits strictly relevant thereto, personal data will or may be disclosed to the following categories:
- the Revenue Authorities and other public authorities, where required by law or upon their request;
- banks for payment orders or other financial activities required for the performance of the Contract;
- external structures and/or companies which are entrusted by the Data Controller to carry out activities that are related to, instrumental in or resulting from the performance of the Contract;
- subsidiaries, associated or parent companies of the Data Controller;
- external consultants (for example, in handling tax compliance obligations);
- external parties that carry out control activities, such as independent auditors, board of statutory auditors, supervisory board;
- professional advisers and/or law firms for the protection of its interests/rights.
The parties indicated above, to which the personal data of the Data Subject will or may be disclosed (except when they are designated as Data Processors), will process the personal data as Data Controllers in full autonomy.
If this is necessary for the performance of the Contract, the personal data of the Data Subject may be transferred to countries in the EU and/or to countries outside the EU, in full compliance with the provisions outlined in the GDPR. In particular, the Data Controller undertakes to comply with the provisions regarding the signing of so-called “standard contractual clauses” between legal entities for processing data outside the EU.
The complete list of data processors and authorized of personal data can be requested by sending an email to firstname.lastname@example.org.
Personal data will be processed relying on paper-based and IT procedures. For such purposes, all appropriate procedures will be adopted to protect the confidentiality, integrity and availability of the information in compliance with current regulations.
Data subject’s rights
Pursuant to Articles 15-21 of the GDPR and under the conditions specified therein, the data subject may at any time exercise the following rights with respect to Clementoni S.p.A.:
- right to withdraw any consent to the data processing (see section “Purposes of the processing and legal basis for processing”);
- right of access (he/she has the right to obtain confirmation of the existence of data processing as well as information on the data processed and to receive a copy thereof);
- right of rectification (he/she may request the updating or correction of his/her personal data);
- right to the erasure of data (in the cases and under the conditions specified in Article 17 of the GDPR);
- right to data portability (in the cases and under the conditions specified in Article 20 of the GDPR);
- restriction of processing (in the cases referred to in Article 18 of the GDPR);
- right to object;
- right to file a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
Exercise of data subject’s rights
In order to exercise the aforementioned rights, the User must send a written request to the contact addresses of Clementoni S.p.A. specified below.
Data Protection Officer (DPO)
Clementoni S.p.A. has appointed a Data Protection Officer (DPO) pursuant to Article 37 of the GDPR.
For any request and in order to exercise their rights, Users may contact the DPO by writing to the email address email@example.com or by letter addressed to:
Data Protection Officer
Zona Ind.le Fontenoce snc
62019 Recanati (MC), Italy.