FPZ S.p.A., registered office in Via F.lli Cervi n. 16, 20863, Concorezzo, Monza Brianza, Italy, e-mail address: email@example.com,in its role as the Data Controller (the “Company” or the “Controller”), shall provide below the common information concerning the processing of personal information and data carried out within the company’s institutional website, accessible online at the following URL: www.fpz.com (the “Website”).
The Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following e-mail address: firstname.lastname@example.org concerning any and all requests and information concerning the processing of personal information and data carried out by the Company.
1. Categories of data subjects and personal information and data processed
The Controller shall process the personal information and data of the identified or identifiable natural persons visiting and consulting the website or that directly interact with the Controller (the “Users”).
The personal information and data processed are the following:
- Browsing information and data: the ICT systems and the software procedures underlying the workings of the site acquire, during their normal activity. Some of the personal information and data whose transmission is implicit in the use of the Internet communication protocols. The following are included in the category of data herein: the IP addresses or the domain names of the computers and terminals employed by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the resources having been requested, the time of the request, the method used for the request to the server, the size of the file obtained in response, the numeric code indicating the state of the answer given by the server (success, error, and the like) and other parameters concerning the users’ operating system and ICT environment;
- Cookies and other tracking systems: for further information on the kinds of cookies used, their use management and purposes, please see the Cookie Policies on the Website.
(all the “Personal Information and Data”)
2. Purposes and juridical basis of the processing:
The Controller shall process the Personal Information and Data having been collected within the context of the Website for the purposes and because of the juridical basis detailed in the table below:
|What are the PURPOSES of the processing?||What is the JURIDICAL BASIS of the processing?|
|1)||Fulfilling a legal obligation connected with civil, fiscal and administrative law provision, as well as with EU law provisions, norms, codices and procedures approved by Authorities and other competent institutions, as well as following up requests by the competent administrative or judicial authority and, more generally, by public subjects, in full compliance with legal formalities.||Fulfilment of a legal obligation the Controller is subject to.|
|2)||Asserting and defending one’s rights, also through extrajudicial initiatives and by means of third parties, as well as preventing and detecting fraudulent activities or the misuse of the Website (for potential criminal activities such as identity thefts, ICT crimes, and the like).||Pursuing the legitimate interest of the Controller.|
|3)||Allowing the Users to access the Website and browse it optimally, as well as to manage the requests coming through the Website.||Executing pre-contractual measures at the User’s request.|
|4)||Concerning the browsing by the Users sub Paragraph 1 subsection a), for the security of the systems belonging to the Controller and to acquire statistical information on the use of the Website (such as the more frequently visited pages on the website and the average time spent on each page), as well as to control and administrate the workings of the Website and improve the services provided.||Pursuing the legitimate interest of the Controller.|
3. Mandatory nature of the disclosure of the required information and data and consequences for failing to disclose them
Except for what has been detailed for browsing information and data (and, within the dedicated policy, for some kinds of cookies), users can freely provide their personal information and data (through forms – within the pages allowing it – or through other methods to the Controller’s contact information) in order to request information or to receive commercial communications.
It shall be understood that failure, even partial failure, to disclose said information and data may prevent the Controller from carrying out what has been required by the User and the marketing and communications activities, as well as the fulfilment of the related obligations, if present.
4. Methods of processing
The Personal Information and Data shall be processed, both through manual and ICT-based tools, exclusively by subjects being authorized and expressly trained for that. The sending of newsletters shall happen via e-mail through the Mailchimp platform.
5. Recipients/categories of recipients of personal information and data
For the purposes detailed in Paragraph 2:
- To companies and professionals in their role as third parties appointed to assert rights, interests and demands by the Data Controller arising from the relationship with the Applicant;
- To State Administrations, Judicial and Administrative Authorities, Public and Private Bodies, also following inspections and checks;
- To the subjects being able to access the data due to legislative provisions, including secondary or EU legislation.
6. Storage periods for personal information and data
The Personal Information and Data shall be stored by the Controller for the time strictly necessary to achieve the purpose they have been collected for; more precisely, the Controller shall store the following:
- The browsing information and data belonging to Users (as detailed in Paragraph 1, subsection a) for the duration of the browsing session and, at any rate, for no longer than seven days, except in the case of system malfunctions; in such cases, they shall be stored until the malfunction is resolved;
- The personal information and data disclosed by Users (as detailed in Paragraph 1, subsection b):
- Concerning the personal information and data needed to receive the newsletter, until the Users withdraws his or her consent, he or she so decide;
- In every other case, for the time needed to handle the relevant request;
- The Personal Information and Data whose processing is required by legal obligations for the duration provided for in the legislation;
At any rate, concerning the purposes detailed in Paragraph 2, subsection 2, the Personal Information and Data shall be stored, at the maximum, for a period equivalent to the duration of the statute of limitations, increased by a further six months as a cautionary period, in order to ensure the Company the right to legal defence concerning possible future disputes, be they judicial or administrative in nature.
At any rate, once all the relevant deadlines are expired, all the once the relevant terms have expired, all the Personal Information and Data shall be erased and anonymized. There shall be no prejudice to the fact that the aforementioned terms may be postponed in case the storage of personal information and data is required in the case of any and all disputes, requests made to the competent authorities or pursuant to legislation in force.
7. Transferring the personal information and data to a third country or to an international organization
Within the aforementioned purposes and, in particular, in order to respond to request by the User, the Personal Information and Data may be disclosed/transferred to recipients being based in several different countries, including extra-EU countries. The Company shall adopt appropriate protection measures in order to ensure the lawfulness and security of the transfers of Personal Information and Data, for example by relying on the adequacy decisions issued by the European Commission or on other guarantees or conditions deemed adequate to the User’s rights.
The User may request further information on such transfers by sending the Controller a request in writing.
Users may, should the circumstances allow, exercise the following rights before the Controller, at any time and free of charge:
- Right to access: it allows the Users to obtain from the Controller confirmation as to whether or not personal information and data concerning him or her are being processed, and, where that is the case, access to the Personal Information and Data;
- Right to rectification: it allows the Users to obtain the rectification/integration of their Personal Information and Data being inaccurate/incomplete;
- Right to erasure: it allows the Users to obtain, in the cases provided for in the legislation, the erasure of their personal information and data;
- Right to restriction of processing: it allows the Users to obtain, in the cases provided for in Art. 18, Paragraph 1 of the GDPR, i.e., the marking of stored personal information and data with the aim of limiting their processing in the future) of the processing of their personal information and data;
- Right to data portability: it allows the Users – should the processing be carried out through automated means, on the juridical basis of the contract or of the consent – to receive the personal data and information concerning them and provided by them to the Controller in a structured, commonly used and machine-readable format and to have the right to transmit those data and to another data controller.
Furthermore, the Users have the rights to:
- object to the processing of their Personal Information and Data for the purposes detailed in Paragraph 2 sub no. 2 and no. 4 for reasons, to be clarified, connected to a particular situation of theirs;
- to withdraw, at any time, their consent to receive the Controller’s newsletter (please see par. 2 sub no. 5), by unsubscribing from the service through the dedicated link placed at the bottom of every newsletter or by sending a specific communication to the Company on the matter to the e-mail address detailed in Paragraph 9, below;
- by the same token, whenever the Users deem that the processing of the Personal Information and Data concerning them through the Website herein is carried out in infringement to the provisions of the GDPR, they may lodge a complaint before the national Data Supervisory authority based in the EU Member State of which they are habitual residents or where they have their habitual workplace, or where the alleged breach of his or her rights has happened (should such State be Italy, the body for the lodging of the complaint is the Italian Data Protection Authority) or to apply before a suitable court of law (pursuant to Art. 79 of the GDPR).
9. Contact Information
In order to exercise all the rights available to them and to request information, Users may contact the Data Controller by e-mail, at the following address: email@example.com or by ordinary mail at FPZ S.p.A. at the following address: Via F.lli Cervi 16 – 20863 Concorezzo, Monza e Brianza, Italy or they may contact the DPO at the following e-mail address:firstname.lastname@example.org.
10. Modifications and changes