Table of contents
1. General provisions
2. Data subjects and scope of application
3. Types and source of processed Personal Data
4. Legal basis for and purposes of processing the Personal Data. Period of data retention
5. Persons in charge of the processing and processors
6. Processing of hidden Personal Data (of Website navigation)
7. Method and place of processing, transfer of Personal Data
8. Data Subjects’ rights
1. General provisions
1.1 Introduction. This website (“Website”) refers to one of the company (“Company”) which is part of the international industrial group headed by Coesia S.p.A. (“Coesia”) and composed by all the companies listed on this webpage (“Coesia Entity(ies)). This Privacy Policy explains how information and data identifying the data subjects described in article 2.1 (“Personal Data”) are processed, according to any national legislation in force on personal data protection (“National Data Protection Laws”) and the EU General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing the Directive 95/46/EC (“GDPR”).
1.2 Controller and Joint Controller. Company processes Personal Data as a Controller (or Joint Controller, as the case may be), as defined in the National Data Protection Laws and in the GDPR. The identity and contact details of Company are specified in the Website’s footer. In particular, the Personal Data of any individual/entity/natural person or representative of customer legal entities (“Customers”) with which the Company establishes commercial/contractual/pre-contractual relationships as client/prospects are jointly processed by the Company and Coesia under their legitimate interest, in accordance with article 4.1 of this Privacy Policy and with the joint controllership agreement signed by Coesia and the relevant Coesia Entities.
1.3 Amendments. The Controller reserves the right to amend and update the Privacy Policy as a result of any further new or revised provisions of any national and EU laws and regulations on personal data protection. The Privacy Policy shall be published on the Website and marked with month of publication. Any new release of the Privacy Policy shall be published on the Website as a replacement of the previous version and shall be valid and enforceable from the publication date, unless otherwise specified.
1.4 Applicable rules. The Controller processes Personal Data in accordance with: (i) provisions of National Data Protection Laws in force as of the date of the Privacy Policy; (ii) provisions of the GDPR and, in particular, with the principles set forth in the same, such as, inter alia, lawfulness, fairness and transparency, purpose limitation, data adequacy and minimization, accountability, accuracy, and – prior to any processing activity – the principles of privacy by design and privacy by default; (iii) guidelines and decisions issued by the competent supervisory authority (“Supervisory Authority”).
2. Data subjects and scope of application
2.1 Data subjects. Company processing activities relate to (i) any individual visiting the Website (“Visitors”); and (ii) any individual/entity/natural person or representative of customer legal entities with which Company establishes relationships, when registering/attending for Company events and/or signing up for information, informational materials, newsletters and other communications and also any individual/entity/natural person or representative of customer legal entities with which the Company establishes commercial/contractual/pre-contractual relationships as client/prospects (jointly defined “Users”). For the purposes of this Privacy Policy, Visitors and/or Users are to be intended as Data Subjects, as defined in the National Data Protection Laws and in the GDPR.
2.2 Scope of application. The Privacy Policy shall be applicable to Visitors and/or Users, provided that Company, in its capacity as Controller/Joint Controller, is only liable for the processing of Personal Data, which are under its own powers, duties and liabilities. The Privacy Policy shall not be deemed valid and enforceable for any processing activity made by third parties whose websites may be reached by the Website.
3. Types and source of processed Personal Data
3.1 Source. Company processes:
a. in its capacity as Controller/Joint Controller, the Users’ Personal Data – as hereinafter specified – provided by Users;
b. in its capacity as Controller, the Visitors’ Personal Data – as hereinafter specified – as well as any data connected to cookies, used through its Website, according to the Cookie Policy published on the Website.
3.2 Identification data. Company processes Visitors’ and Users’ Personal Data, that consist of common Personal Data; sensitive and/or judicial data (as defined in the National Data Protection Laws in force) and/or special categories of personal data as well as personal data concerning health as defined in the GDPR are expressly excluded from the Company processing activities under the scope of this Privacy Policy (all these types of personal data are hereinafter jointly referred to as “Special Data”). The Personal Data provided by Visitors and Users data may include:
a. Navigation data, such as IP addresses, domain names of the computers used by any Visitor connecting with the Website, the URI (Uniform Resource Identifier) addresses of requested resources, the time of request, the server query method, the answered file dimension, the server status code (good, error etc.), other parameters related to the Visitors’ operating system and informatics environment; these data, however, will only be used to extract anonymous statistical information on the Website and its functionalities and will be immediately cancelled at the end of the respective processing activity;
b. Personal Data provided voluntarily or under contractual/pre-contractual steps by Users, such as first name and surname (including first name and surname of the legal representative of the company/entity for which Users are working), tax and VAT code numbers, location/domicile (also for tax purposes), contact details (including mobile numbers, facsimile numbers and/or other identification numbers), postal and email addresses (including business email addresses of employees/collaborators of Users and, where applicable, certified email addresses), postal code numbers, bank accounts details and/or data referred to payments etc.
3.3 Insights data. Company carries out a form of processing of the Personal Data of some selected Data Subjects who are deemed to operate on behalf of the Customers which are more likeable to be sales-ready. This processingconsists of the analysis of Data Subjects’ interaction to materials (e.g. opening or not of the communication, reading time of the newsletter, download of attached file and/or clicking on links) sent by the Company for marketing communication purposes (“Insights Data”). This processing – referred to the evaluation of Users’ behavior – falls within the definition of “profiling” as set out in article 4(4) of GDPR.
3.4 Special Data. The activities that may be carried out through the Website do not require any provision of Special Data, so that Data Subjects are requested to not supply and/or anyway make available to Company any Special Data. Unless expressly agreed in writing, Special Data inadvertently provided by Data Subjects, shall be cancelled and/or removed or however anonymized by the Controller.
4. Legal basis for and purposes of processing the Personal Data. Period of data retention
4.1 Legal basis. The legal basis for the processing of Personal Data is: (i) the performance of a contract to which the Data Subjects are parties or in order to take steps at the request of the Data Subjects prior to entering into a contract about purpose under art. 4.2 C); (ii) the Data Subjects’ consent; (iii) the legitimate interest of the Company and Coesia, in particular when the processing of Personal Data is necessary for the purposes of preventing fraud or where the processing activity is carried out to accomplish formalities required by law or for direct marketing and profiling purposes related to the use of the CRM (see points D(ii) and G of the following table), subject however to the GDRP requirements.
4.2 Purposes. The Controller/Joint Controller processes Personal Data for the following purposes, as specified in the table here in below, in which is furthermore highlighted (a) if an express consent to processing of Personal Data is needed (or not) as well as (b) the period of data retention:
|
Purposes
|
Consent
|
Data retention
|
A. |
Allow the Company and/or Coesia to accomplish all formalities required by law, including those of administrative and tax/fiscal nature
|
Not required
|
Until the expiry of the data retention period, as provided by the applicable law
|
B. |
Improve the Website by analyzing how Visitors and/or Users navigate and/or use the Website
|
Not required
|
Not applicable (aggregate or anonymous data)
|
C. |
Send communications and reply to queries concerning the Company Activities
|
Not required
|
For the period of time necessary to reply and however to enforce Company’s rights
|
D. |
Send newsletters of a general informational, promotional and advertising nature and/or other materials for marketing communication purposes, in relation to the Website’s functionalities, to Coesia and Company Activities
|
Required for newsletters, other materials for advertising or direct e-marketing communication purposes (i.e.: marketing communications sent over electronic communication channels, such as e-mail, facsimile, SMS and MMS-type messages), questionnaires and surveys. Not required for postal and/or email marketing communications sent to clients, according to applicable laws
|
Until the withdrawal of consent or until a denial has been communicated
|
E. |
Communicate Personal Data to Coesia and Coesia group companies in order to receive commercial information, newsletters and/or materials above (under letters C and D)
|
Required
|
Until the withdrawal of consent
|
F. |
Process Personal Data for statistical analysis purposes
|
Not required
|
Not applicable (aggregate or anonymous data)
|
4.3 Optional supply of Personal Data. Subject to what specified above, the provision of Personal Data is fully optional and free. However, failure to provide Personal Data may entail failure to be provided with the communications and/or replies and/or activities requested.
4.4 Consent declaration and withdrawal. In relation to the purposes specified under the letters, D(i)) and E) of the table above, Data Subjects may revoke their consent by informing the Company and/or Coesia Entities by any means and in any form whatsoever, including by email and telephone; however, having particular regard to the purpose specified under letter D(i), in order to facilitate accomplishment of all relevant formalities, related to the request concerned, including the cancellation and removal of the email address from the mailing list, Data Subjects are invited to follow the instructions specified in every newsletter/communication sent by the Company and/or any Coesia Entities. If Data Subjects revoke their consent in relation to the purposes specified under letters D) and E) of the table above, the relevant Coesia Entity processing activities will be interrupted.
4.5 Right to object. In relation to the purposes specified under the letters D(ii) and G(i) of the table above, Users may object at any time to the processing in order to obtain that their Personal Data shall no longer be processed for such purposes. In order to object, Data Subjects are invited to follow the instructions specified in every newsletter.
5. Persons in charge of the processing and processors
5.1 Controller and persons in charge of the processing. Directors, employees, and independent collaborators (independently from the contractual relationship concerned) of the Company and/or Coesia may process Personal Data in their capacity as persons in charge of the processing, according to National Data Protection Laws and to the letter of authorization signed in accordance with art. 29 of the GDPR. The persons in charge of the processing are duly trained and empowered to allow access to Personal Data according to the Privacy Policy and subject to their tasks being performed and assignments.
5.2 Joint controllers and processors. The Controller may designate as processors internal and external entities/individuals, including but not limited to (legal and tax) advisors and third companies (in particular, CRM provider, internet service providers and other IT service providers, also using cloud platforms). The complete list of all processors may be required by Data Subjects to the Controller, by sending an email to the Controller email address specified in article 8.1. of the Privacy Policy. In relation to the purposes specified under the letters D(ii), E and G of the table above, Coesia, the Company and/or the relevant Coesia Entity with which the Personal Data of the Users are communicated and shared, act as Joint Controllers according to article 26 of the GDPR and, therefore, signed a specific joint controllership agreement.
5.3 Limitations. Persons in charge of processing activities and processors – where appointed – shall be appropriately trained and duly empowered to allow access to and use of Personal Data, subject to the specific duties and tasks assigned to them and in compliance with the Privacy Policy.
6. Processing of hidden Personal Data (of Website navigation)
6.1 Navigation data. The Controller processes hidden Personal Data collected during navigation in accordance with the Cookie Policy.
6.2 Link. The Website may include hypertextual links to other websites that are not managed or otherwise associated to Company. The Controller hasn’t any kind of access to or control of such websites. Data Subjects are requested by Controller to read the privacy policies of such third parties websites to which Data Subjects may access from the Website, in order to know the personal data collection and processing methods.
7. Method of processing, storage of Personal Data and security measures
7.1 Methods of processing. The Personal Data of Data Subjects are processed almost exclusively through automated procedures, by using computerized systems and software or, in a limited number of cases, through manual means (e.g. on paper), provided however that in any event such Personal Data are processed adopting methods which are strictly related to the purposes for which such data have been collected and anyway to ensure their security, in accordance with the GDPR and the National Data Protection Laws.
7.2 Place of automated data processing. Processing of Personal Data is made in the head offices of the Controller and/or – if appointed – of the processors and/or joint controllers. Personal Data are stored in the head offices of the Controller/Joint Controller where the physical servers are and in some cases on servers of third parties, which provide cloud services to allow storage of Personal Data.
7.3 Transfer of Personal Data. Personal Data may be transferred for organizational and/or commercial purposes to other Coesia companies, whether they are located in EU or in third countries outside the EU, provided however that in the latter case, the transfer of Personal Data as above specified shall be made subject to the Controller/Joint Controller’s assessment of full compliance with the provisions of the GDPR and in particular with articles 44 and 45 of the same. For instance, the Coesia Entities signed a specific standard contractual clause in relation to the data transfer involved in the common use of the CRM solution for the purposes specified under the letters D(ii), E and G.
7.4 Place of manual data processing. When Personal Data are collected offline (e.g. on paper), all documents where said data are contained, are stored in the head offices of the Controller/Joint Controller or of the processors and service providers, where appointed, and inserted in appropriate archives.
7.5 Dissemination of Personal Data. Personal Data will not be disseminated. Personal Data may be communicated to external processors and/or service providers (e.g. CRM, cloud providers) or – under the conditions set out in articles 4.2, 5.2 and 7.3 above – to the Coesia Entities.
8. Data Subjects’ rights
8.1 Rights. Data Subjects, when they are individual/natural persons, may directly address to the Controller/Joint Controller or the processor/s designated by the same Controller/Joint Controller in order to enforce their rights according to provisions of National Data Protection Laws and to the GDPR (articles 15 and subsequent articles), and, in particular, to have access to their own Personal Data, obtain updating and rectification or erasure of the same, restriction of processing, object on legitimate grounds to processing of their Personal Data (with the effects provided for in the Privacy Policy) as well as obtain data portability by sending an email to the email address privacy@coesia.com or, with specific regard to the newsletter, direct marketing and profiling activity, by clicking the “unsubscribe” button or following the instructions published on the Website or communicated by the Company and/or the other Coesia Entities.
8.2 Complaint. The above notwithstanding, according to articles 13 and 15 of the GDPR, Data Subjects, when they are individual/natural persons, may lodge a complaint with the competent Supervisory Authority, in order to enforce their rights, as specified above.
Version: November 2022