PREAMBLE
What is this document?
This document is the policy on the processing of personal data related to the website and social pages.
Why this document?
National and international regulations on the protection of personal data request that you - the data subject - shall be informed on the personal data being processed and who will process it, in order to ensure that the processing is fair and transparent.
Who shall process the personal data, which personal data shall be processed, the purposes for which personal data shall be processed, how long shall personal data be processed, which are the rights and how to exercise them are all clearly listed hereinafter.
Which regulations does this document refer to?
- Regulation (EU) 2016/679 on the Protection of Personal Data (hereinafter “Regulation”)
- D.Lgs. 196/2003 (“Privacy Code”)
- Guidelines for cookies and other tracking tools - 10 June 2021 (Official Journal no. 163 of 9 July 2021)
POLICY
1. DATA CONTROLLER
ERGON S.p.A., Contrada Bettafilava snc, 97100 Ragusa (RG), Fiscal Code 01220100885, Tel. +39 0932607711, E-mail [email protected], PEC [email protected] (hereinafter “Controller”)
2. DATA PROTECTION OFFICER - DPO
Domiciled at ERGON S.p.A., Contrada Bettafilava snc, 97100 Ragusa (RG), E-mail [email protected] (hereinafter “DPO”)
3. PURPOSES, LEGAL BASES, STORAGE PERIOD AND NATURE OF THE PROCESSING
Personal data, according to the actions carried out by the data subject, shall be processed for the following purposes:
-
Responding to requests received by means of data collection forms:
- the legal basis of this processing is the necessity to implement pre-contractual or contractual measures adopted upon request of the data subject;
- the storage period of the personal data processed for this purpose is equal to the time necessary to process the request;
- The personal data requested is necessary to process the request and any refusal will prevent from replying to the data subject.
-
Responding to requests received by means of social platform (direct messages or on the wall):
- the legal basis of this processing is the necessity to implement pre-contractual or contractual measures adopted upon request of the data subject (for instance: replying and handling an enquiry on a product present on the company social platforms by means of private messages) and, in that event, your name or user name and any other data you provide will be used to reply to your request;
- the storage period of the personal data processed for this purpose is equal to the time necessary to process the request;
- the personal data requested is necessary to process the request and any refusal will prevent from replying to the data subject.
-
Sending of informative and promotional material (direct marketing), also by e-mail and SMS (mailing list, offers, etc) “instant messaging” (WhatsApp, Messenger, etc):
- the legal basis of this processing is the explicit consent of the data subject;
- he storage period of the personal data processed for this purpose is until the data subject requests to unsubscribe from the promotional communication/newsletter service. We remind that consent can be withdraw at any time without the lawfulness of processing to be affected prior to the withdrawal the same;
- the provision of personal data is discretionary and any refusal will prevent from receiving the informative and promotional material.
-
Analyse the habits and consumption choices (profiling), carry out market researches (survey and analysis of the Client satisfaction):
- the legal basis of this processing is the explicit consent of the data subject;
- the storage period of the personal data processed for this purpose is until the data subject withdraws its consent. We remind that consent can be withdrawn at any time without the lawfulness of processing to be affected prior to the withdrawal the same. Further information on the logics implemented and on the safeguards provided for the data subject is available by sending a written request to the Controller;
- the provision of personal data is discretionary and any refusal will prevent from profiling the data subject.
-
Administrative and management purposes and for compliance with obligations laid down by law, regulation or order of the Authority
- the legal basis derives from the necessity to comply with a legal obligation to which the Controller is subjected;
- the storage period of the personal data processed for this purpose is connected to each legal obligations regulated by specific legislation;
- the provision of personal data is mandatory, since the Controller has to comply with a legal obligation to which he is subjected or with requests of the competent Authorities.
-
Prevention, detection and prosecution of unlawful conducts:
- the legal basis of this processing is for the purposes of the legitimate interests pursued by the Controller to prevent, detect and prosecute unlawful actions or violations of the industrial and/or intellectual property rights (even of third parties) or cybercrimes or crimes committed via telecommunication networks, defamation or similar crimes committed on the website or during the interaction with the respective communities of the social media managed by the Controller (for instance: publishing a comment, clicking on “like” or sharing a post, etc.)
- the storage period of the personal data processed for this purpose is equal to the time reasonably necessary to assert the Controller’s rights from the time the unlawful act or its potential commission was known.
4. PERSONAL DATA PROCESSED
By processing of personal data we mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal data which can be described as “special categories of personal data”, pursuant to Article 9 of the Regulation, could be sent by the data subject (for instance, contact form in field “your message”) to the Controller. Such data reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or a natural person's sex life or sexual orientation of the person. This category of personal data will be processed by the Controller in order to process the request received. Further processing of special categories of personal data by the Controller will be carried out only upon and explicit consent.
Further personal data processed by the Controller:
- Browsing data: Throughout their normal functioning, computer systems and softwares, which are accountable for the functioning of this website, acquire some personal data whose transfer is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of computers and terminals used by the users, URI/URL addresses (Uniform Resource Identifier/Locator) of requested resources, the time of the request, the method used to submit the request to the server, the file size obtained as an answer, the numeric code indicating the state of the answer given by the server (successful, error, etc.), and other parameters concerning the operating system and the IT environment of the user. Such data, necessary to use the web services, are also processed to obtain statistical information on the use of the services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.) and to check the correct functioning of the services offered. Browsing data do not persist more than seven days and are deleted immediately after their aggregation (except for any need to detect criminal offences by the judicial Authority);
- Data communicated by the user: The discretionary, explicit and voluntary sending of messages to the contact addresses of the Controller entails the acquisition of the contact data of the sender, which are necessary to reply, as well as the personal data included in the communications;
- Social Media Platforms: The use of the company social pages entails a further processing of your personal data by the respective social platform provider, not strictly related to your interaction with us. The processing of users’ personal data complies with the policies in use on the platforms used; in this regard, we report the Privacy policies of the providers of the social platforms we use. Personal data shared by users via private messages sent directly to the managers of the channels will be processed in compliance with data protection regulations in force and with this policy.
- Cookies and other tracking systems: We refer to the detailed policy available at the following link: https://www.arddiscount.it/site/informativa-cookies
5. RECIPIENTS OF THE PERSONAL DATA
Personal data, depending on the actions carried out by the data subject, will be processed for the above-mentioned purposes by:
- Personnel explicitly authorized by the Controller pursuant to Article 2-quaterdecies of the Legislative Decree 196/2003, necessary to carry out activities strictly related to the provisions of services/products, who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and who have received adequate operational instructions pursuant to Article 29 of the Regulation;
- entities, who act as “Processors”, pursuant to Article 28 of the Regulation, namely persons, companies or professionals, who assist and advise the Controller;
- entities, bodies or Authorities to whom it is mandatory to communicate your personal data by virtue of provisions laid down by law or orders of the Authority;
- entities with whom it necessary to interact for the provision of services/products, as independent controllers.
The full list of Data Processors is available by sending a written request to the Controller.
6. TRANSFER OF THE PERSONAL DATA
Some of your personal data is shared with recipients who could be located out of the European Economic Area (EEA). The Controller ensures that the processing of your personal data by these recipients is carried out in compliance with the Regulation. Indeed, transfers shall be based on an adequacy decision or on Standard Contract Clauses approved by the European Commission. Further information is available at the Data Controller.
7. EXISTENCE OF AN AUTOMATED DECISION-MAKING, INCLUDING THE PROFILING
The Controller shall not employ automated decision-making on the processing of personal data, including the profiling, as set out in Article 22 of the Regulation. Further information is available at the Controller.
8. PERSONAL DATA RELATED TO MINORS UNDER 18 YEARS OF AGE
Minors under 18 years of age may not give personal data. The Controller shall not be liable in any way for any collection of personal data, nor for any false declarations provided by the minor, and in any case, if the use of such data is detected, the Controller shall facilitate the right to access and erasure submitted by the guardian, trustee or by who exercises the parental responsibility.
9. RIGHTS OF THE DATA SUBJECT
Data subject shall have the right to obtain from the Controller, in the cases envisaged, the access to the personal data, the rectification or erasure of such data or the restriction of processing concerning him/her or to object to processing (Article 15 and followings of the Regulation). The specific request to the Controller shall be presented by contacting the email designed for the feedback to the data subject or by filling in the form available in the dedicated privacy section.
10. RIGHT TO LODGE A COMPLAINT
The data subject, who believes that the processing of his/her personal data is taking place in breaching of the provisions of the Law and Regulation, shall have the right to lodge a complaint to the Italian Data Protection Authority (www.gpdp.it) as provided for in the Article 77 of the Regulation, or to bring the issue before the competent courts (Article 79 of the Regulation), if the breach happened in the territory of the European Union.
11. HOW TO EXERCISE THE RIGHTS
To exercise the rights above, you can contact the subjects appointed to respond to the data subjects:
- Data Controller: ERGON S.p.A., Contrada Bettafilava snc, 97100 Ragusa (RG), Tel. +39 0932607711, E-mail [email protected], PEC [email protected]
- Data Protection Officer (DPO): Domiciled at ERGON S.p.A., Contrada Bettafilava snc, 97100 Ragusa (RG), E-mail [email protected]
12. MODIFICATIONS
The Controller reserves the right to modify and/or integrate this policy at any time and undertakes to publish the modification on the website www.arddiscount.it. Data subjects are invited to periodically check its content. This policy is effective from 23/09/2024.