Privacy Policy
1. Overview
This policy will attempt to explain who and how they process the data of the data subject (also called the User), what their data are, and what their rights are and how they can exercise them. For special clarifications, where the User does not understand or does not consider what is included in the policy sufficient, please write to the following address: [email protected]
2. Some important notions about personal data
What is meant by personal data? Personal data is any information that relates to an identifiable natural person. An e-mail address is personal data. The text of a message, if it reveals information about a person, is personal data.
What does it mean to process data?The legal definition of processing includes any operation or set of operations concerning the collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure and destruction of data. Practically, then, all that can be done with user data is treatment. Already, therefore, collecting or reading data for example, i.e., consulting them, is processing.
3. Who processes the data
Data controller is the person who makes the decisions about how to process data, so – among other things – what precautions to take to protect it, where to house it (whether on servers or in the cloud, etc.), what data to ask from the user, what to process and for what purpose, what and to whom to give it away, how to handle user relationships and rights, who to choose as a collaborator, manager or simple appointee to process the data, what instructions to give to collaborators, etc. Therefore, since the data controller is very important, let the user know that it is:
Società Italiana Lastre S.p.a.
Headquarters: Via Francesco Lenzi 26, Verolanuova (BS);
VAT and tax identification number: 02095460982
Tel: 030 992 0900
E-mail: [email protected]
Then, with regard to any ancillary functions, the Controller may use internal individuals authorized to process (also called data processors) or external parties mostly as data controllers, as autonomous data controllers or joint data controllers, as the case may be.
3.1 To whom the data are disclosed (or who is given access to them)
The data are disclosed to individuals within the Owner (the employees) who cooperate in the executive and administrative management of the service.
They may be further disclosed in compliance with reporting requirements in the event of a request from a public authority (e.g., request from the court, tax assessment, etc…).
In addition, the data is disclosed to the hosting service, third party operators of cookies installed through the website (see the relevant policy), social networks in case of installation of widgets or “like/share etc.” function inserted in the website;
It is important to know that Società Italiana Lastre can only manage and dominate data stored and processed within its own system: data transferred or disclosed to third parties will, in the manner and to the extent, be independently processed by the third parties to whom they are disclosed according to their own privacy policies. In any case, where Società Italiana Lastre ceases to process a user’s personal data, it will also give notice of the cessation to those to whom such data have been disclosed, but it cannot guarantee the cessation of processing by them.
4. Where he treats them
Il Titolare tratta i dati personali degli Utenti presso la propria sede. Inoltre i dati sono trattati presso server ubicato in UE in Italia presso il fornitore Keliweb. Per maggiori informazioni: datacenter.
5. What data are processed
Based on the significant quality of the data, one can identify:
- Contact information: e-mail;
- Identifying data: first name, last name;
- Content data: the content of the communication sent by the User through the appropriate form;
- Navigation
6. For what purposes they are processed, and indication of the legal basis and retention period
The Owner processes user data for the following purposes:
I. Responding to requests sent by the user (information, exercising rights, etc.): consists of responding to contacts made by the customer/user (via email or other form of contact).
Legal basis: performance of the service requested by the user in the communication (such as exercising a right) or performance of pre-contractual measures if it is a request for quotations;
Duration: ten years (obligation to keep business correspondence).
Data processed: contact, identifying, and other depending on the content of the request (e.g., the information in the text of the request may refer to people, and as such is personal data).
Mandatory provision: provision of data is mandatory. Failure to confer them will result in the inability to send the request or obtain a response from the Owner.
II. Create contact database: the Owner creates a database of contacts received via forms on the site. The database is used as a backup copy of the addresses from which communications were received;
Legal basis: legitimate interest of the owner in the storage of contact backup data (deemed overriding over contrary interests as it ensures the availability of the data to the Owner and on the other hand – as it is data of little danger and significance – does not harm the user). Opposition by the person concerned is always permitted (see Duration item);
Duration: until requested for deletion by sending email to [email protected];
Data processed: e-mail, identification, content.
Obligatory conferment: in this case, it is not possible to choose whether to confer the data or not, as this is done automatically when the user sends a communication to the Holder. However, you have the right to request deletion of your data as stated above.
III. Estimate processing: at the request of the user during contact, the Owner proceeds to prepare a quote with the information contained in the communication made by the user;
Legal basis: performance of a contract;
Duration: until the budget expires or until the budget is approved;
Data processed: e-mail, identification, content;
Mandatory provision: the provision of data is mandatory. Failure to give them will result in the inability of the Holder to process a quote.
IV. Sending promotional communications (newsletters): SIL may send periodic e-mail communications regarding promotions of its own or third parties’ products or services, online and offline events to the data subject (person or company) who has given consent.
Legal basis: consent given by the data subject (always revocable);
Duration: until consent is revoked.
Data covered: contact, area of interest, product of interest, first and last name.
Obligation to provide: consent for the newsletter is optional.
7. How the data are conferred
The data are provided directly by the User by filling out the appropriate form on the site or by communicating them through the other means of contact (e-mail and telephone).
8. How the service will “communicate” with the user
The Owner will communicate with the User in the following ways:
- You may receive e-mails, telephone calls, messages or other communications from the Owner: these will be operational communications or otherwise in response to the communication sent by the User. These communications are essential for the regular management of the relationship with the User;
- Sending newsletters only to users who have given consent.
9. What are the rights of users
Users are beneficiaries of a number of rights.
Information rights about:
- Categories of data are processed (see point #2 and #5);
- Data origin, i.e., knowing where the service got its data from (see item #7);
- Purposes of data processing, i.e., for what purposes the data are processed (see item #6);
- Contact details of the data controller and any data processors (see item no. 3);
- Subjects to whom data are disclosed (see item no. 3/a);
- Storage time and data processing (see item #6);
- Right to file a complaint before the Privacy Guarantor by accessing the following link: https://www.garanteprivacy.it/i-miei-diritti
- Existence or non-existence of profiling process;
- Legal basis for processing (see point #6).
Then there are rights that are not merely informational but operational. They are of various kinds. In summary:
- The data subject has the right to have a copy of the data he or she has provided. If the data have been processed by automated methods and on the basis of your consent or a contract, you may request-if technically possible-that the data be transmitted to the same data subject or even to a possible new data holder (portability), provided that this operation does not affect the rights (and data) of other persons. Therefore, this right in the present case cannot be exercised in relation to communications that contain third-party data, trade secrets or otherwise protected content. In such a case, he can also request the deletion of the data (unless the law requires the Holder to retain it, as in the case of commercial communications).
- If personal data are inaccurate or incomplete, the data subject may ask for them to be corrected or completed by providing indications to that effect. If the Data Controller needs to verify the accuracy of the data challenged by the data subject, the data subject can in the meantime obtain the limitation of the challenged data (limitation means that the data is only retained and no other processing is done with it except with specific consent of the data subject or if it is needed to exercise or defend a right in court).
- If personal data are no longer necessary for the purposes for which they were collected or otherwise processed, the data subject may request their deletion. If, however, the data is needed by the data subject to exercise his or her right in court, he or she may request that the data be restricted (i.e., retained only).
- If the processing is unlawful because the data is processed in the absence of consent, legitimate interest on the part of the Data Controller, contract for the performance of which the processing itself is necessary, legal obligation to process by the Data Controller, the data subject may request deletion or restriction.
11. What are the duties and burdens of users
The User is obliged to report truthful data.
It is the User’s responsibility to notify the Controller of any changes that have occurred to the personal data previously disclosed. Finally, the onus is on the user, where functionality permits, not to enter excessive data. For example, if the form requires you to enter non-mandatory data (usually marked with an asterisk), it is recommended that you enter it only if you think it is necessary. Similarly, if writing a message through the service, it is recommended to avoid explicit references to identifiable persons unless necessary.
12. Data breach hypothesis
Should one or more of the following events occur with respect to Users’ data: unauthorized access, misappropriation, loss, destruction, disclosure, or modification (so-called Data breach), the Data Controller, without prejudice to the urgent technical measures to be put in place to block (as far as possible) the event and to reduce its damaging effects, undertakes to:
- restore the service efficiently as soon as possible by recovering available data from the last useful backup made;
- to inform Users, either directly if circumstances permit or generically (by means of a notice on the home page of the website or by means of a communication sent to all Users, including those for whom there may have been no data events) of the type of event, the time in which it occurred, the measures taken (without going into detail in order not to facilitate any new attacks) to reduce the damage and to avoid new similar events, as well as the measures and expedients that the User should – on his part – put in place to reduce the likelihood of new events and limit the consequences of those that have already occurred.