BAIDO SPA, with registered office at VIA TERGOLA 38, 35010 S. GIUSTINA IN COLLE (PD), tax and VAT code 03553440284, as data controller (hereinafter “data controller”), informs you, in accordance with Articles 13 and 14 of EU Regulation No. 2016/679 (hereinafter “GDPR”) and in compliance with Legislative Decree 196/03 (hereinafter, “Privacy Code” as modified by Legislative Decree 101/18), that your data will be processed in the following ways and for the following purposes:
1) Subject matter of processing
Given the services and products proposed by our organisation, the data controller processes personal, identifying and non-identifying data (e.g.: given name, surname, tax code, email address, telephone number (hereinafter “personal data” or “data”) shared by you when requesting services from our organisation and/or when defining contractual agreements and/or promotional initiatives and for the purposes indicated below. Some services may require the processing of specific data, i.e. personal data that may make it possible to collect certain sensitive data, for example: racial and ethnic origin, membership in political parties, trade unions, associations or organisations, including religious, philosophical, political or union organisations, state of health and sex life (hereinafter specific data). Judicial data may be required for some legislative requirements.
2) Purpose and legal basis of the processing
Your personal data are processed:
A) without your express consent, because processing is required by law and/or contract or is related to legitimate interests (Privacy Code and Art. 6 – GDPR), for the following purposes:
• to manage and maintain the services requested by the data subject and to find the person concerned for the organisation of the requested services
• to fulfil existing pre-contractual, contractual and fiscal obligations arising from our relationship with you
• to fulfil obligations under law, regulation, Community legislation or an order of authority, including accounting and tax matters
• to prevent or detect fraudulent activity or harmful abuse and/or for the purposes of existing anti-money-laundering legislation
• for mandatory requirements deriving from requirements of organisational and management models based on specific recognised standards (e.g. ISO, UNI, etc. standards) required by law and/or specific contractual requirements required by the data subject and/or specifically identified as a service requirement
• to exercise the data controller’s rights, e.g., the right of defence in court
• availability of the data subject for information relating to the requested services and their management
• to allow registration of the services and the sending of useful information to the data subject based on the requested services
• specific data processing for requested services and included in the cases listed in Article 9, 2 b) to j)
• for legitimate interest related to commercial communications updating our organisation’s initiatives
As regards the data collected by the website
• to allow registration to the website
• to allow us to answer your questions sent via the “contact form”
• to manage and maintain the website
• to prevent or discover fraudulent activity or harmful abuse to the website; for needs related to operation and maintenance, and any third-party services used by it, System Logs collection, i.e. files recording interactions and that may also contain personal data, such as the user’s IP address
• for legitimate interest related to communications (including commercial) updating initiatives of our organisation and/or deriving from applicable regulatory/legislative requirements
B) only with specific and separate consent (Article 7 GDPR and as per Legislative Decree 196/03), for the following purposes:
B.2 Marketing and/or commercial: Commercial communications and/or advertising material about products or services that are not in the legitimate interest. If you are already our customer, we may send you commercial communications regarding services and products similar to those you have already used, unless you refuse (Privacy Code).
B.3 Use of audio-video footage and photographs, their display and duplication, showing the data subjects, exclusively for the activities and services requested of your organisation and/or for promotional activities of the same and not for other commercial purposes. In other cases, a specific release will be required. This data may be used free of charge.
For other purposes, the data controller will be responsible for defining specific information and consent requirements and/or additional requirements for processing.
3) Means and duration of processing
Your personal data are processed by means of the operations indicated in Legislative Decree 196/03 and in Article 4 2) of the GDPR, and in particular: collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, blocking, disclosure, erasure or destruction. Your personal data undergo both paper and electronic and automated processing.
The data controller will process your personal data for the time necessary to fulfil the aforementioned aims, and in any case, for no more than ten years after termination of the relationship for the purposes indicated in point 2.A (unless otherwise required by law). For the purposes set out in point 2.B, the data controller will process the data until consent is withdrawn or after five years from the interruption of the relations/communications with the data subject after the first collection.
Profiling: No data profiling is done.
4) Access to your data
You may have access to your data at any time by a simple request sent to the addresses indicated in this policy.
Your data may be made accessible and/or disclosed for the purposes set out in Articles 2A) and 2B):
Without prejudice to communications and dissemination made in compliance with legal obligations, the data controller may disclose your data in Italy and/or abroad (as indicated in the following points) to:
• the data controller’s employees and collaborators, in their capacity as data managers and/or data processors and/or system administrators
• technicians and/or collaborators for administrative, fiscal and accounting management and/or to fulfil specific legal obligations or for which external suppliers have been identified
• our network of agents, factoring companies, credit institutions, debt collection companies, credit insurance companies, commercial information companies for the services required, professionals and consultants, transport companies, technicians and staff responsible for providing the services/products requested, to supervisory bodies, judicial authorities and to all other subjects to whom communication is required by law for the performance of the said purposes legal entities entrusted with the services referred to in this policy
• companies or other legal entities, qualified and charged pursuant to Article 28 of Regulation 679/16, for support activities including: management and development of communication, management and development of business processes and projects, communication and promotion systems, storage of personal data. Access may be granted to third parties and related companies providing services deemed necessary and/or useful by the data controller for the management of the business activities and support processes related to or requested by you. Suppliers include companies maintaining computer systems, credit institutions, consultants, companies providing services on computer systems/platforms that the data controller considers useful, companies performing outsourcing activities on behalf of the data controller in their capacity as external data controllers
• data may need to be disclosed for the data controller’s legislative and/or organisational obligations involving the presence of independent subjects with the possibility of receiving data to fulfil the legislative obligations deriving from their role. These recipients may include supervisory bodies, inspectors from third parties, auditors of our organisation, persons and/or entities performing audits at our organisation.
Partners of the data controller, as autonomous data controllers, will process the User’s personal data for their marketing purposes (direct sales, sending of advertising material and commercial communication), and may contact the User by post, e-mail, telephone (fixed and/or mobile) to offer the User products and/or services offered by the same categories of third-party companies and/or by other companies and to present to the User offers, promotions and commercial opportunities. Pursuant to Article 14 3 of the GDPR, once the data has been disclosed, it will be the data controller’s partner’s responsibility to provide the Users all the information provided for in Article 14 of the GDPR.
6) Data transfer
Personal data will be managed and stored on the servers of the data controller and/or third-party companies entrusted with this service and duly appointed as data processors located within the European Union. Our internal servers are currently located in Europe. The data will not be transferred outside the European Union. In any case, it is understood that the data controller may change the location of the servers to non-EU countries, if necessary. In this case, the data controller hereby guarantees that data will be transferred to non-EU countries in accordance with applicable legal provisions, by entering into agreements guaranteeing adequate protection and/or by adopting the standard contractual clauses provided for by the European Commission, if necessary. Some “storage” or mailing services rely on Cloud platforms, which may have servers in non-EU countries, but data is stored only temporarily for the service requested.
7) The mandatory or optional nature of the provision of data and the consequences of refusal
Data must be provided for the purposes set out in point 2.A). If it is not provided, we cannot guarantee the services referred to in point 2.A). The provision of personal data for the purposes set out in point 2.B) is optional.
Therefore, you may decide not to provide any data or to subsequently deny processing of data already provided: in this case, you will not receive commercial communications or advertising material related to the services offered by the data controller. In any case, you will continue to be entitled to the Services mentioned in point 2.A).
8) Rights of the data subject
As data subject, you have the rights referred to in Legislative Decree 196/03 and Articles 15-22 GDPR, and in particular, to:
A) obtain confirmation of the existence of personal data concerning you, even if not yet recorded, and their communication in intelligible form
B) obtain information regarding: the origin of the personal data; the purposes and methods of the processing; the logic applied for processing done using electronic instruments; identification details of the data controller, data processors and representative designated according to the Privacy Code and Article 3 1 of the GDPR; and the subjects or categories of subjects to whom personal data may be disclosed or who may become aware of it as designated representative in the territory of the State, managers or processors. C) obtain: updating, rectification or, if necessary, integration of data; erasure, transformation into anonymous form or blocking of data processed in violation of the law, including those whose storage is not necessary in relation to the purposes for which the data were collected or subsequently processed; certifications that the operations referred to in Art. 8(A) and (B) have been brought to the attention, including as regards their content, of those to whom the data have been disclosed or disseminated, except where such fulfilment is impossible or involves the use of means manifestly disproportionate to the protected right D) object, in whole or in part: for legitimate reasons, to the processing of personal data concerning you, even if relevant to the purpose of the collection; the processing of personal data concerning you for the purpose of sending advertising material or direct sale or for market research or commercial communication through the use of automated call systems without the intervention of an operator, via email and/or via traditional marketing methods by telephone and/or post. Please note that the data subject’s right to object, as set out in point B) above, for direct marketing purposes using automated methods extends to traditional methods as well, and that the data subject is entitled to exercise the right to object even in part. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither type of communication.
Where applicable, the data subject also has the rights provided for in Articles 16-21 of the GDPR (right of rectification, right to be forgotten, right to limit processing, right to data portability, right to object), as well as the right to complain to the Authority.
9) Methods of exercising the rights
Data subjects may exercise their rights at any time by sending:
• a registered letter with notice of receipt to: BAIDO SPA, with registered office at VIA TERGOLA 38, 35010 S. GIUSTINA IN COLLE (PD), ITALY
• an e-mail to firstname.lastname@example.org or a certified e-mail to email@example.com
• the organisation provides a form for data subjects to exercise their rights by simple request to the addresses above
The data controller’s services are not intended for children under the age of 14 and the data controller does not knowingly collect the personal data of minors. In the event that information on minors is inadvertently recorded, the data controller will delete it in a timely manner at the users’ request. For any processing requirements involving minors, specific consent and authorisation will be requested from the guardian and/or from the holder of parental responsibility (as provided for in Article 8 of Regulation 679/16).
11) Data Controller, Manager and Processor
The data controller is BAIDO SPA – in the person of its legal representative. The data controller can be contacted at the addresses indicated above. An up-to-date list of data managers and processors is kept at the data controller’s premises.
12) Data Protection Officer
The Data Protection Officer (DPO) is not applicable to our organisation.
13) Changes to this Policy
This Policy may be changed. Therefore, we recommend that you regularly review it and refer to its most current version.