according to Legislative Decree no. 196/2003 and subsequent amendments, as well as EU Regulation no. 2016/679 (hereinafter referred to as GDPR 2016/679) laying down provisions for the protection of persons and other subjects regarding the processing of personal data, I wish to inform you that the personal data you provide will be processed in compliance with the above mentioned legislation and confidentiality obligations.
Fornitalia Sas Di Leopoldo Caporali & C., with registered office in Via Archimede, 327 – 21047 Saronno (VA), tax code and VAT number 02046320129, tel. 02.964.59.069 – fax 02.964.59.628 – e-mail: firstname.lastname@example.org; pec: email@example.com.
Fornitalia Sas Di Leopoldo Caporali & C. deals with the management of sales made through e-commerce (by way of example but not limited to: order management, sale and delivery of products through a third party courier, management of returns and guarantees and other activities necessary for the sale of products through e-commerce), but does NOT deal with transactions made by the User/Interested party through their bank, or through the Stripe platform (in the case of payment through an account or credit card). Information on the latter payment instrument can be found at: https://stripe.com/it-us
The processing is aimed solely at the correct and complete performance of the contracts concluded (legal basis of the processing) and, specifically:
- without the express consent of the data subject pursuant to Art. 6(b) et seq. of the GDPR), for the following purposes
- to allow registration to e-commerce and manage access to the related services
- to maintain and manage the account created following registration
- to process a contract or pre-contractual request and facilitate the purchase of products online, as well
- as to execute the contract entered into
- to respond to requests to exercise the right of withdrawal and/or the legal guarantee of conformity and/or other rights arising from the purchase contract concluded on e-commerce and/or provided by law in relation to said contract and/or in relation to the service rendered, as well as to carry out any activities that prove necessary as a consequence of the exercise of said rights and to proceed, where appropriate, to the relevant refunds
- process internal statistics;
- fulfil tax obligations arising out of existing relationships;
- comply with obligations provided for by law, regulation, Community legislation or an order from the Authority;
- safeguard the vital interests of the data subject or of another natural person;
- preventing or detecting fraudulent activities or abuse harmful to the website;
- to pursue a legitimate interest of the Data Controller or a third party, within the limits and under the conditions set out in Article 6(f) GDPR;
- exercise the rights of the Controller, (by way of example only, the right to defence in court).
- B) only with the specific and unambiguous consent of the data subject ex art. 7, GDPR), for the following purposes
- acquisition of particular data (when requested) pursuant to Art. 6, paragraph 1, letter a), GDPR.
- sending e-mail newsletters, commercial communications and/or advertising material on products and/or services, different and/or dissimilar to those already purchased, offered by the Controller.
a) The processing is carried out by means of the operations or set of operations indicated in Article 4(1)(a) of the Consolidated Act and Article 4(2) of GDPR 2016/679: collection, recording, organisation, structuring, storage, consultation, processing, adaptation, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of data.
b) The operations may be carried out with or without the aid of electronic or automated tools in compliance with the provisions of Article 32 of GDPR 2016/679 on security measures by specially appointed persons and in compliance with the provisions of Article 29 GDPR 2016/679.
c) We point out that, in compliance with the principles of lawfulness, purpose limitation and data minimisation, pursuant to Art. 5 GDPR 2016/679, subject to the free and explicit consent of the data subject, the personal data of the data subject will be retained for the period of time necessary to achieve the purposes for which they are collected and processed, as well as for the period of time strictly related to tax purposes and/or other purposes provided for by laws or regulations. The data subject’s data will be kept for 10 years from the termination of the contractual relationship for any fulfilment consequent to the conclusion of the contract itself, for 2 years for marketing purposes.
The conferment of data for the purposes described in point 1, letter A) is necessary; in the absence of such conferment, the aforesaid activities cannot be carried out.
The provision of data for the purposes described in point 2, letter b), on the other hand, is optional.
Personal data, to the minimum extent possible, may be communicated to the persons in charge of the processing and to all those public and private entities to whom such communication is necessary for the proper fulfilment of the purposes indicated in point 1, or for the fulfilment of legal obligations.
More specifically, the data of the data subject may be communicated to
- employees and collaborators of the Data Controller, consultants authorised to manage the site and to provide related services, in their capacity as internal Data Processors and/or Data Trustees and/or System Administrators
- third party companies or other subjects (by way of example only: credit institutions, professional firms, consultants, couriers and transporters, insurance companies, etc.) that perform outsourcing activities on behalf of the Data Controller, in their capacity as external Data Processors and/or Persons in charge of processing personal data.
Personal data are not subject to circulation.
Personal data may be transferred to countries within the European Union within the scope of the purposes set forth in point 1.
The data will not be transferred outside the European Union. It is in any case understood that, should it become necessary to transfer the location of the servers to countries outside the EU, such transfer will always take place in compliance with Art. 45 et seq. of the GDPR. In this case, however, the Data Controller assures as of now that the transfer of data outside the EU will take place in compliance with the applicable legal provisions by entering into, if necessary, agreements that guarantee an adequate level of protection and/or by adopting the standard contractual clauses provided for by the European Commission.
Pursuant to Articles 9 and 10 of GDPR 2016/679, you may provide the data controller with data qualifying as “special categories of personal data” and namely those data revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data concerning a person’s health or sex life or sexual orientation”. These categories of data may only be processed with the free and explicit consent of the data subject.
The computer systems and software procedures used to operate the site may acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This category of data includes the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment.
These data, necessary for the use of web services, are also processed in order to
– obtain statistical information on the use of the services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.)
– checking the correct functioning of the services offered.
Surfing data are not retained for more than seven days (except in the event of the need to ascertain crimes by the judicial authorities).
At any time, the data subject may exercise, pursuant to Articles 15 to 22 of GDPR 2016/679, the right to:
(a) request confirmation of the existence or non-existence of his/her personal data, access to the same and to information relating thereto, as well as the provision of said personal data in intelligible form;
- b) obtain information about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated and, when possible, the storage period
- c) obtain the updating, rectification, integration, deletion of data and their transformation into anonymous form. All this without prejudice to the legal obligations arising from the conclusion of the contract and the conservation aimed at protecting the rights of the data controller;
- d) obtain the restriction of processing
- e) obtain portability of the data, i.e. receive them from a data controller in a structured, commonly used and machine-readable format and transmit them to another data controller without hindrance
- f) to object to the processing at any time and also in the case of processing for direct marketing purposes;
- g) object to automated decision-making concerning natural persons, including profiling;
- h) revoke consent at any time, without prejudice to the lawfulness of the processing based on consent given before revocation;
- i) lodge a complaint with a supervisory authority (Data Protection Authority – www.garanteprivacy.it).
The interested party may exercise its rights with a written request sent to Fornitalia Sas Di Leopoldo Caporali & C., with registered office: Via Archimede, 327 – 21047 Saronno (VA), Tax Code and VAT number 02046320129, tel. 02.964.59.069 – fax 02.964.59.628 – e-mail: firstname.lastname@example.org; pec: email@example.com