(art. 13 Dlgs 196/03 e artt. 13-14 Reg. UE 679/16 “GDPR”)
Rebecca srl (hereinafter "REBECCA") is constantly committed to adopting technical and organizational solutions aimed at guaranteeing high standards of lawfulness, security and protection in the processing of personal data. To this end, the requirements of the General Data Protection Regulation of the European Union are implemented (hereinafter the "GDPR" acronym for General Data Protection Regulation) and other provisions of law, including, in particular, those of the Code on the matter. of personal data protection (hereinafter "Privacy Code" or "Code"). This disclosure describes to what extent, when, why and how we collect and use your personal information, how we protect it and how you can exercise your rights in relation to it.
1. WHO IS THE DATA CONTROLLER
The Data Controller is Rebecca srl, with registered office in Potenza Picena (MC) 62018, Strada Statale Regina km 3,3, P.IVA 02484770694, in person of the legal representative. REBECCA has appointed Data Processors, whose list is available upon request to the Data Controller.
2. WHO ARE RESPONSIBLE FOR THE DATA
The controllers are subjects that could process the data on behalf of the data controller and according to its directives. The Managers appointed by us are individuals who provide services that are instrumental to the performance of our business and belong to the following categories: Credit Institutions, IT Service Providers, Management Service Providers, Administrative Service Providers, External Professionals and Consultants, Payment Gateways third parties who provide us with advertising and marketing services, in charge of sending documentation and / or informative and / or advertising material.
3.WHAT DATA WE COLLECT
4. ON WHAT BASES WE WE COLLECT YOUR DATA
We will process your data only if permitted by applicable legal provisions. Specifically, we will process your data, alternatively, on the basis of your consent, for the execution of a contract or precontractual measures, to fulfill a legal obligation or to safeguard our legitimate interest. Specifically, with these terms we mean: • Consent (Article 6 (1) paragraph 1 (a), Article 7 of the GDPR, and, if applicable, Article 9 (2) (a) We will treat certain Data only in the presence of Your informed, preliminary, free and express consent. • Execution of a contract or pre-contractual measures (art.6 (1) paragraph 1 (b) GDPR): this legal basis usually concerns relations with our suppliers of goods and services. In order to stipulate your contract with REBECCA and to execute it, we need to have access to certain data (usually identification data, bank details, and shipping data). • Compliance with a legal obligation (Article 6 (1) paragraph 1 (c) GDPR): REBECCA is subject to a series of regulatory requirements. In order to ensure compliance with these requirements, we must process certain data. • Safeguarding of legitimate interests (Article 6 (1) paragraph 1 (f) GDPR): REBECCA will process certain data in order to protect its interests, or interests of third parties. However, this applies only if, in the specific case, your interests do not prevail.
5. FOR WHAT PURPOSE WE COLLECT YOUR DATA
We will process your data exclusively for the purposes permitted by the GDPR. For your information, the GDPR refers to the following purposes: i) purposes previously approved by You; ii) processing of data in order to execute our Contract (eg in relationships with suppliers); iii) implementation of precontractual measures; iv) fulfillment of the legal obligations to which we are subject (including obligations and provisions of law established by the competent authorities); v) safeguarding our legitimate interests or the legitimate interests of third parties, except in the case where your interests prevail over them; vi) exercise of our rights and fulfillment of our obligations under the laws on social security and social protection; vii) assessment, exercise or defense of a legal right or claim; viii) for reasons of significant public interest; ix) marketing and advertising, in particular direct marketing activities. We will treat your data for the specific purposes listed below, save the possible extension to purposes related to these, within the limits allowed by law: PURPOSES INFORMATION 1. Pre-contractual phase - Before the conclusion of the Contract according to the methods provided for, the processing of personal data of the Customer may pursue pre-contractual purposes, such as responding to specific requests for information from the Customer concerned, by email or telephone. 2.Manage your registration as a user of the Platform This purpose provides for the processing of your data as illustrated below: · Access to and browsing of our website are free, but the possibility of using our services is only permitted upon registration of the Customer exclusively on our site. The registration process consists in filling out an online form in which the Customer is required to indicate his personal data for the activation of authentication credentials (login + password) with which he will subsequently access the reserved area. Therefore further primary purposes of the processing are represented by the need to allow the completion of the required procedures of prior online registration and the creation of an account and to allow us the generation and the subsequent technical and administrative management (including the purposes of providing support and technical assistance upon request) of the account, Client IDs, activation codes, passwords and similar authentication credentials as created by the Client as part of the registration process ·Contact you about updates or information communications related to the functionality, products or services purchased. -Management of the reserved area In these primary and main purposes of data processing of the registered customer are also those to allow him to access the web pages and, where possible, take advantage of on-line services and pre and post-contractual assistance for the management of any consequent contractual, administrative, technical or legal profile. With reference to this last treatment, the purpose is also to manage any type of request for assistance - technical, commercial and / or contractual - received by the Owner and provide the related answers to customers. Finally, among the primary purposes are also some technical treatments carried out through so-called "technical cookies". In these specific cases, the technical treatments are aimed solely at carrying out the transmission of a communication over an electronic communications network to the extent strictly necessary for the Data Controller to provide the services explicitly requested by the Customer. -Post-sales management After the conclusion of the contract, on this legal basis, we may process your data to manage a refund, a return or a claim, the degree of customer satisfaction. -Activation of the mechanisms necessary for the purpose of checking and avoiding potential frauds against you and our damages during the purchase operations. If we consider this to be a fraudulent transaction, processing may result in the transaction being blocked. 3-Use and quality analysis to improve our services Occasionally we do quality actions and surveys to know the degree of satisfaction of our customers and users and to identify areas of possible improvement, through the request for feedback or the compilation of dedicated questionnaires. The categories of personal data being processed are represented by common personal data. 6.2 Consensus based processing You will always have the right to revoke the consent granted with effect for the future, without prejudice to the validity of the processing carried out until the revocation. We consider based on consent processing: a. Direct Marketing With your optional consent, which can be expressed by selecting the appropriate consent box on the Website (opt-in), we will process your data for marketing purposes (sending advertising material, carrying out market research, commercial communication, surveying the degree of satisfaction of customers) and sending by post, email and / or SMS / MMS of advertising information, offers and promotions relating to our products and services. In case of non-consent to the processing of your personal data for marketing purposes, the ability to browse the site, register on the site and use the Services provided will not be in any way compromised, nor will you suffer any other detrimental consequence. In any case, you can freely and freely revoke your consent to the processing of your personal data for marketing purposes at any time, even in a selective manner (for example, communicating your desire to no longer receive e-mail communications, wanting to receive only communications with other contact methods), by sending an email to us at firstname.lastname@example.org In relation to promotional communications sent by e-mail, you may withdraw your consent to the processing of your email address for marketing purposes by clicking on the cancellation link (opt-out) present in each promotional e-mail. For information transparency, and as required by the WP259 Guidelines on consent under the Regulation issued by the Group of European Guarantors, as an exception to the rule of granularity of consent (so many consents to request how many are the purposes and processing operations, if heterogeneous between of them) it should be noted that these Guidelines authorize a single consensus formula "to cover various processing operations, where such processing operations pursue a series of unitary objectives"; moreover, according to Recital 32 of the Regulation, a single consensus can be applied "to all processing activities carried out for the same or the same purposes".The objectives indicated above are objectively attributable to the pursuit of a single purpose, although the processing operations are different, which is that of commercial promotion and marketing in the broad sense. Consequently, through the conferral of the unified consent to the Treatment for Marketing Purposes, the interested party specifically takes note of the homogeneous and different promotional, commercial and marketing purposes specified in detail (including the consequent management and administrative activities) and expressly authorizes said processing and said purposes, both in the case where the means used for the Treatment for Marketing Purposes are the telephone with operator or other non-electronic means, not telematic or not supported by automatic, electronic or telematic mechanisms and / or procedures, both where the means used for the treatment for marketing purposes are e-mail, fax, sms, mms, automatic systems without operator intervention and similar, including electronic platforms and other telematic means that - finally - pursuant to art. 6, paragraph 1, letter (a) of the Regulations,as a specific and further legal basis of the treatment for marketing purposes. For information transparency, it is reported that the treatment and the purposes specified above pursued by the Data Controller during the duration of the contractual relationship, and the specific ones resulting from the termination of the Contract, for any reason, and sometimes to transmit unsolicited communications to the interested party to invite him to renew the contract with each of the aforementioned means (telephone with operator, nonelectronic means, not telematic or not supported by automatic and electronic mechanisms or procedures, e-mail, fax) , SMS, MMS, automatic systems without operator intervention and similar, including electronic platforms and other telematic means). Pursuant to the General Provision of the Privacy Guarantor of May 15, 2013 entitled "Consent to the processing of personal data for purposes of" direct marketing "through traditional and automated contact tools", the Customer's attention is specifically referred to the fact that : - the consent given for the sending of commercial and promotional communications, through the use of electronic mail, fax, sms, mms, automatic systems without operator intervention and similar, including electronic platforms and other electronic means, will involve the receipt of such communications, not only through these automated methods of contact, but also through traditional methods, such as paper mail or calls by operator; rthe right to oppose the data processing of personal data for purposes of "direct marketing" through the aforementioned automated methods of contact, will in any case extend to the traditional ones and, even in this case, the possibility of exercising such law in part, both with respect to certain means and with respect to certain treatments; -the possibility remains for the interested party who does not intend to give consent in the terms indicated above, to express any wish to receive communications for the aforementioned marketing purposes exclusively through traditional methods of contact, where provided for: this will be exercised for free by simply sending an email to email@example.com For the purposes of the principle of compliance with the privacy obligations for the owner in compliance with the principles of simplification of the same obligations pursuant to the General Provision of the Guarantor for the privacy of May 15, 2013 entitled "Consent to the processing of personal data for purposes of" direct marketing " through traditional and automated contact tools ", the Owner informs the Client that the specific consent formula available according to the consent collection procedure from time to time will be unified and comprehensive and will refer to all possible means of marketing treatment above, the possibility remains for the interested party to express a different will as to the use of certain means and not of others for the receipt, after consent, of marketing communications by simply sending an email to firstname.lastname@example.org. Furthermore, also for the purposes of the principle of compliance with the obligations of privacy for the Owner in compliance with the principles of simplification of the same obligations, the Data Controller informs the Customer, also pursuant to the Regulation and WP259 Guide on consent pursuant to the Regulations issued by the Group of European guarantors that the specific consent formula will be unitary and comprehensive and will also refer to all the different and possible marketing purposes expressed here (without multiplying the formulas of consent for each distinct marketing purpose pursued by the owner), without prejudice to the possibility for the interested party to notify a different selective will regarding consent or refusal of consent or revocation of consent for individual marketing purposes by simply sending an email to email@example.com To proceed with the Treatment for Marketing Purposes it is mandatory for each Data Controller to obtain from the interested party an informed, free, unambiguous, specific, separate, express, documented, preventive and completely optional consent. With a view to absolute transparency, the Data Controller summarizes the purposes of the processing in greater detail: -send advertising and informative material (eg Newsletters), promotional or otherwise commercial; - carry out direct sales or placement activities for the products or services of the Data Controller; - send commercial information or make interactive commercial communications also pursuant to the Decree Legislative 206/2005 through the use of email - to elaborate studies, researches, market statistics also in identifying form; - send unsolicited commercial communications pursuant to Article 9 of Legislative Decree 9 April 2003 no. 70. Therefore, by granting the optional consent, the interested party specifically takes note of and authorizes such treatments and / or treatments that pursue the homogeneous different purposes set forth herein. In any case, even if the person concerned has given consent to authorize the Data Controller to pursue all the purposes of the Treatment for Marketing Purposes, he will remain free at any time to revoke it, through our website by accessing his own credentials to his own personal area. Following the revocation of the consent given by the interested party, the Data Controller will promptly remove and delete data from the databases used for the treatment for marketing purposes and will inform the third parties to whom the data have been communicated for the same purposes of cancellation. We inform you specifically and separately, as required by art. 21 of the Regulations, that the interested party has the right to oppose at any time the processing of personal data concerning him for such purposes and that if the person opposes the treatment for direct marketing purposes, personal data will no longer be able to be processed for these purposes. 6.3 Based on legal obligations processing Personal data will also be processed to fulfill the obligations established by law, regulation or community legislation and for civil, accounting and tax purposes. The legal basis of the processing, in these cases, is represented by the need to fulfill a legal obligation to which the Data Controller is subject. The categories of personal data being processed are represented by common personal data. 6.4 Based on legitimate interest processing Personal data may also be processed to assert or defend in the competent offices (judicial, arbitration, administrative, etc) our rights of any kind, whether they are connected to the Contract or not (eg: non-compliance). In this case, the legal basis of the processing is represented by the legitimate interest of the Owner.
6. TO WHO WE CAN COMMUNICATE THE DATA
In all the cases illustrated above - and according to the Regulations and the applicable Italian legislation on the protection of personal data - REBECCA may communicate your personal data to the following categories of external recipients. As required by the WP 260/2017Guidelines on transparency, where REBECCA chooses to indicate by category the recipients of the data, it must justify why it considers this approach correct and in any case the reference to the category must not be generic but specific. reference to the activities carried out, the sector, the industry, and the territorial location of the recipients identified by category. In this perspective, REBECCA considers in this case the approach for categories of recipients of the communication to be correct, since the nominative indication of suppliers and subsuppliers would be exorbitant. Third party suppliers are represented by the following categories: companies in the banking and credit sector that provide services for the management of financial transactions (eg Paypal); suppliers of the ICT services sector for installation, assistance and maintenance services of IT and telematic systems and systems and of all the services that are functionally connected and necessary for the performance of the services covered by the Contract, persons, companies or professional offices, which provide assistance, consultancy or collaboration in accounting, administrative, legal, tax and financial matters. As required by the WP 260/2017 Guidelines , therefore, we provide the relevant indications on the recipients of the data communication according to the obligations laid down therein (obligatory indication - where possible - of the subjects and the entities that receive the data in communication, including external managers, co-controllers, internal managers): - Public Administrations for the performance of institutional functions within the limits established by law or regulations; - Third-party service providers to whom communication is necessary for the performance of the services covered by the Contract or for compliance with legal obligations or for the protection of our rights. - Our personnel authorized to process; In addition, for the pursuit of the primary purposes, the data may be disclosed to any third external party when the disclosure is mandatory by law or to properly fulfill the REBECCA's contractual services (eg: credit institutes for the related profiles) the fulfillment of collections and payments), pre-contractual or post-contractual (eg: technical assistance and request for support or sending complaints submitted by the Customer) With reference to the indication of the internal subjects or the categories of subjects that may become aware of the personal data of the Customer as managers or agents, we refer to our staff, including the IT technicians who manage the websites and related infrastructure electronic communications necessary for this. Personal data will not be disseminated.
7. FOR HOW LONG TIME YOU WILL TREAT YOUR DATA
In accordance with the art. 5, co. 1, lett. e) of the GDPR, we will treat your data only for the time necessary for the processing of the same for the purposes for which they are processed. After this deadline, the data will be securely deleted or saved in a format that does not allow to reach any direct conclusion in relation to your identity, as soon as the last specific purpose has been fulfilled. In conclusion, according to the cases, REBECCA will process your data, as long as you will allow it (in cases of consent-based processing), as well as for the time necessary to execute the contract between you and REBECCA (in the case of a contract) or, at most, as long as he is obliged to do so for legal obligations or to protect his legitimate interest. Purposes / Retention period 1. Management of your registration as a user of the Platform Your data is processed until you are a registered user, that is until you request cancellation of your subscription to the Platform. 2. Fulfillment and execution of the sales or service contract Your data is processed for as long as necessary for the management of the purchase of products or the provision of services requested by you, including any returns, complaints, complaints associated with the purchase of a given product or the provision of a data service. 3. Customer support Your data is processed for the time necessary to process your request. 4. Marketing The data will be processed, where the customer has given the specific consent to be contacted even later and until there is a possible revocation. If the customer participates in promotional activities, we will retain your data for a maximum period of two years from the end of the activity. The data processed for contractual purposes will be stored normally for a period of 10 years, and this is for the obligations imposed by civil and tax laws and for the protection of our rights deriving from the contract. In any case the personal data object of Treatment for Marketing Purposes or Treatment for Profiling purposes will be canceled if the revocation of the specific consent by the Customer intervenes, and therefore the storage times in this case are related to the choice of interested but, in any case, with a view to minimization, the consent will be requested again after 12 months for treatments for profiling purposes and after 24 months for treatments for marketing purposes.
8. HOW WE PROTECT YOUR DATA
We will process your personal data on the basis of the security obligations related to the processing of data pursuant to art. 32 GDPR. In order to guarantee an adequate level of data protection aimed at limiting the risk of their use in an improper or illicit manner, technical and organizational measures have been implemented that respect internationally recognized standards and these measures are constantly checked.
9. WHERE WE COLLECT THE DATA
10. HOW WE TREAT THE DATA REBECCA
will process your data in both paper and IT. Specifically, data processing should include all the following activities: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data.
11.TRANSFER OF DATA ABROAD
Rebecca may need to transfer the personal data of users abroad to provide services to the user and to pursue the other purposes set out in this Notice. Before proceeding with the transfer of data outside the European Union, it will adopt appropriate precautions, also contractual, provided for by the applicable privacy legislation, in order to guarantee the protection, security and confidentiality of the personal data transferred (for example, will adopt the Standard Contractual Clauses provided by the European Commission) or verify that the recipient, if established in the United States, is regularly enrolled in the "Privacy Shield" program (more information at the following links: http://eur-lex.europa.eu/legal-content/IT/TXT/PDF/?uri=CELEX:32016D1250&qid=1488382124070&from=IT - https://www.privacyshield.gov/list Rebecca will take care to keep a copy of these guarantees at its registered office if consultation is necessary.
12.PRIVACY OF MINORS
All persons under 18 years of age are minors. REBECCA does not intentionally collect or collect personal data from or relating to minors without the consent of a parent or guardian. Should REBECCA learn that you have been sent personal data relating to a minor without the consent of a parent or guardian, it will make every reasonable effort to: • delete, as soon as possible, such personal data from its files; • ensure that these personal data are not further used for any purpose, nor are they further disclosed to third parties. For any questions regarding the processing of personal data of their children, parents or guardians can contact us in the ways described in this statement.
13. WHAT ARE YOUR RIGHTS
As interested, you have the following rights: a) Right of withdrawal You can request at any time that you are provided with information about your data stored by us. This information refers, among other things, to the categories of data processed by us, the purposes of the processing, the origin of the data in case we did not obtain it directly from you, as well as the recipients to whom we may have transferred your data , where applicable. You can receive a free copy of your data. If you wish to obtain further copies, we reserve the right to request a fee b) Right of rectification You can request a correction of your data. We will take appropriate measures to ensure that your data stored and processed by us on an ongoing basis is kept correct, complete, up-to-date and relevant, based on the most recent information provided to us. In order to rectify their data, including the modification of the consent granted for the secondary purposes of the processing, the data subject may also access his personal area with his own credentials. c) Right of integration The data subject has the right to obtain the integration of incomplete personal data, also by providing an additional declaration. d) Cancellation right You can request the cancellation of your data, provided that the conditions set by law exist. For example, this could occur: - if the Data are no longer necessary in relation to the purposes for which they were collected or otherwise treated; - if you withdraw the consent on which the processing of the data is based, and there is no other legal basis for the processing; - if you oppose the processing of your data and there are no legitimate legitimate reasons to proceed with processing, or if you oppose the processing of data for direct marketing purposes; - if the Data were processed illegally; - if the data are to be deleted to fulfill a legal obligation. There are no cases in which the treatment is necessary: - for the fulfillment of a legal obligation that requires the processing of your data; in particular regarding the periods of conservation of the documents required by law; - for the assessment, exercise or defense of a legal right or claim. e) Right to limit processing You will be able to obtain a limitation on the processing of your data. This right can be exercised, for example: - if you dispute the accuracy of the Data, for the period that allows us to verify the accuracy of such Data; - if the processing is illegal and opposes the cancellation of your data by requesting instead that its use is limited; - if we no longer need your data, but these are necessary for the assessment, exercise or defense of a right in court; - if you are opposed to processing pending verification of the possible prevalence of our legitimate interests, as the data controller, with respect to your. f) Opposition right You can oppose at any time, for reasons connected to your particular situation, to the processing of your data, pursuant to art. 6, paragraph 1, letters e) or f) of the GDPR, or if personal data are processed for direct marketing purposes. In this case, we will no longer process your data. This last condition does not apply if we can demonstrate the existence of binding legitimate reasons that justify the processing and that prevail over your interests, or if we need your data to ascertain, exercise or defend a right in court. g) Right to request a copy of the protection measures We refer in particular to the measures set up for the transfer of data to third countries, if applicable. h) Right to withdraw consent at any time Where the treatment is based on consent. The withdrawal of consent will not however prejudice the lawfulness of the processing based on your consent given before the revocation. i) Right to lodge a complaint with the control authority If you do not consider exhaustive the feedback provided by REBECCA to any requests and / or reports, you are still entitled to file a complaint with a competent authority on data protection, pursuant to art. 77 of the GDPR. • Below you will find the contact details of the Guarantor for the protection of personal data. http://www.garanteprivacy.it/web/guest/home/footer/contatti • Here you can find a model for the exercise of the rights related to your personal data: http://126.96.36.199/web/guest/home/docweb/-/docweb-display/docweb/4535524 Normally we will handle your requests within a period of 30 days. However, this period may be extended for reasons relating to the specific right of the data subject or the complexity of your request. In certain situations, we may for legal obligations not be able to provide you with information about all your data. If we were forced to decline your request for information in this case, we will also clarify the reasons for our denial.
14. WHAT IS IN PARTICULAR THE RIGHT TO PORTABILITY
You have the right to receive a copy in a structured and common format of the Data you previously provided directly to REBECCA. Only personal data that (a) concern the interested party, and (b) were provided by the interested party to the Concession holder. The portability of data includes the right of the data subject to receive a subset of the personal data concerning him treated by the Concessionaire and to keep them in view of further use for personal purposes. This conservation can take place on a personal support or on a private cloud, without necessarily involving the transmission of data to another owner. Portability is a sort of integration and strengthening of the different right of access to personal data, also provided for by art. 15 of the Regulations. If the Customer requests the portability together with the direct transmission of his data to another data controller, please note that this right is subject to the condition of technical feasibility: the art. 20, paragraph 2 of the Regulation provides that data may be transmitted directly from one owner to another at the request of the data subject, and where this is technically possible. The technical feasibility of transmission from one holder to another must be assessed on a case-by-case basis. Recital 68 of the Rules clarifies the limits of what is "technically feasible", specifying that "it should not imply the obligation for the owners to adopt or maintain technically compatible treatment systems". Therefore, the direct transmission of data from the Concession holder to another holder may take place if it is possible to establish a communication between the systems of the two holders (transferor and receiver) and in a secure manner, and if the receiving system is technically able to receive the data in entrance. In the event that technical impediments preclude direct transmission, the Concessionaire will complete the training and explain the details to the interested party. As regards the interoperability of formats to ensure portability, the Concessionaire will comply with the provisions of paragraph 1021, letter (b) of Law 205/2017 ("presence of adequate infrastructures for the interoperability of the formats with which the data are made available to the interested parties ") within the limits of what is clarified by the Guidelines on the portability of data WP242 issued by the Group of European guarantors(" The expectation is that the holder transmits personal data in an interoperable format, but this does not obligation on the other holders to support this format "). In accordance with the WP242 Data Portability Guidelines, holders who comply with a portability request have no specific obligation to verify the quality of the data before transmitting them Furthermore, portability does not impose any obligation on the Concessionaire to store data for a period longer than necessary or further than specified. Above all, it does not impose any further obligation to retain personal data for the sole purpose of fulfilling a potential request for portability. The exercise of the right to data portability (or any other right under the Regulation) does not affect any of the other rights. The interested party can continue to benefit from and benefit from the service offered by the Concessionaire even after a portability operation has been completed. Portability does not result in automatic deletion of data stored in the Concessionaire's systems and does not affect the retention period originally envisaged for the data being transmitted. The interested party can exercise the rights as long as the treatment carried out by the Dealer continues.
For any request or information concerning the processing of your personal data, you can contact us: - by e-mail to the address firstname.lastname@example.org - by mail to: Rebecca srl, Via Industria, 17-62017 Porto Recanati (MC) - by phone or fax to the number 0733-672081 Last updated: 7/19/2018