PRIVACY STATEMENT EU Reg. 679/2016 (Privacy Code) PRIVACY STATEMENT AND CONSENT Dear Interested Person, We would like to inform you that EU Reg. 679/2016 provides for the protection of natural persons with regard to the processing of personal data. According to this regulation, the processing will be based on principles of fairness, lawfulness and transparency to protect your privacy and rights. Pursuant to the above mentioned articles 13 EU Reg. 679/201, we will therefore provide you with the following information: The processing that the Data Controller may carry out, will be carried out by automated means and/or by gathering paper documents in order to achieve the following objectives: • To establish and manage commercial relationships and related organisational activities; • To provide services/purchases as part of the commercial relationship established with the data controller; • To manage the associated pre-contractual, contractual, administrative, accounting, tax and legal obligations. The provision of data is mandatory in order to implement the objectives referred to in point a) and failure to provide the data could prevent us from establishing a business relationship, the processing is not based on the requirements of Article. 6, paragraph 1, point f) EU Reg. 679/2016; Your personal data will be processed by persons specifically appointed by the data controller in their capacity as data processors and/or by anyone acting under the data controller’s authority who has access to personal data. These persons will process your data as required only in relation to the purposes of the undertaking and only within the scope of carrying out the tasks assigned to them by the data controller, limiting themselves to processing the data necessary to carry out these tasks and to perform only the operations necessary to implement them. In addition, your personal data may be shared for the purposes referred to in paragraph a), with): • companies or sub-contractors who perform specific tasks on behalf of the data controller (including, for example, data processing, customer support, consultancy, in the areas of administration, accounting, taxation, legal matters, regulatory compliance, management/maintenance/implementation of company IT systems, etc. …) only when it is necessary to pass on your personal data or in any case it is required to achieve the objectives referred to in paragraph a); • law firms and lawyers, to ensure that any contractual rights are protected; • credit institutions, and where necessary, companies specialising in financial services, leasing, debt collection, credit protection and credit transfers for managing business transactions; • Central and ancillary government institutions, Public Bodies and other Institutions as required by law. The sharing of data described above is, depending on the case, associated with specific legal/contractual obligations or necessary for the establishment of the contractual relationship or strictly related to normal business operations within the management of the contractual relationship and strictly necessary for the purposes referred to in paragraph a); therefore, failure to provide data may prevent a contractual relationship being established. c1) the Data Controller may pass on personal data to a third country or an international organisation; in such cases, the Data Controller undertakes to process the data only if appropriate guarantees are in place; c2) in compliance with the provision „Measures and expedients prescribed to data controllers of data processed by electronic means in relation to the role of system administrator – 27 November 2008“ (O.J. no. 300 of 24 December 2008) and its additions and amendments, the data controller has appointed specific „System Administrators“ who, within the scope of their duties, may have direct or indirect access to services or systems that process or allow the processing of personal information. c3) the data will not be passed on to other third parties, unless you are asked, in advance, for your express consent. Your personal data will not be disclosed. The data will be stored for the time necessary to achieve the purposes indicated above and to comply with sector-specific regulations; the storage period will be determined by the duration of the business relationship and by administrative, accounting and tax obligations. The personal data provided will never be processed to carry out an automated decision-making process (so-called profiling). In the event that the personal data provided is processed for different purposes than those indicated above, the Data Controller will provide information about said purpose and any other relevant information. The Data Controller, taking into account the progress made and the costs of implementation as well as the nature, scope, context and purpose of the processing both at the time of determining the means of processing and at the time of the processing itself (so-called risk analysis – accountability), has put in place appropriate technical and organizational measures to effectively implement the principles of data protection and include in the processing the necessary guarantees to meet the requirements of Regulation EU 679/2016 and protect the rights of the data subject. With this in mind, personal data will be processed for purposes related to and/or instrumental to the business relationship established, in compliance with the objectives identified above. The data will be processed using suitable methods and tools to ensure its security (Articles 24, 25 and 32 EU Reg. 679/2016) and data processing will be carried out through an automated process as well as manually (hard copies of documents). We will implement all the technical and operational measures in order to guarantee a level of security appropriate to the risk, so as to ensure at all times the confidentiality, integrity, availability and resilience of the processing systems and services (by way of example but not limited to: checking both the assignment of tasks to those given the task of data processing and the classification of the data itself; procedures, if viable, of pseudonymisation and encryption, disaster recovery mechanisms, etc.). We inform you that, in compliance with the combined provisions of Articles 4, point 11 and 6, paragraph 1, point (b) Council Reg. EU 679/2016, the processing of personal data provided is necessary (and therefore permitted by law) for conducting the business relationship between the Parties and by receiving this Privacy Statement you actively give your unequivocal consent to the above data processing (Article 7 EU Reg. 679/2016). THE DATA CONTROLLER is:GELMINI S.R.L.with registered office in VIA MORUZZI, 3A 43122 PARMA, Tax Number:02398020343 – PI: 02398020343Tel: 0521861413 Mail: email@example.com PEC: firstname.lastname@example.org Pursuant to Article 28 of REG. EU 679/2016, the Data Controller may make use of third parties who process data on the data controller’s behalf and formally appointed by them as data processors. The complete and updated list of those responsible for the processing of the designated data will be provided by the Data Controller upon request, by contacting the addresses indicated above. Pursuant to Article 29 of REG. EU 679/2016, the Data Controller may appoint somebody who has the authority to act either on their behalf or on behalf of the person they have assigned; such persons will be duly trained.The Data Controller has not designated the D.P.O. (Article 37 REG. EU 679/2016 and WP Guidelines Article 29 of 13.12.2016), as it is not necessary within the organisation, given that the type of data processing does not appear within the examples referred to in Article 37.The Data Controller will also inform you that: the data subject has the right to request from the Data Controller to access his/her personal data and to amend or delete it or to restrict or to object to its processing in addition to the right to data portability (Art. 15, Art. 16, Art. 17, Art. 18, Art. 20 EU REG. 679/2016); in addition to the exercise of the right of access, the data subject has the right to obtain confirmation from the data controller that the personal data concerning him or her is being processed, while by exercising his/her right to data portability the data subject may obtain his/her personal data from the data controller in a structured, standardised and legible format in other words the transfer of such data from the original data controller to another (see WP 242 of 13.12.2016); The data subject has the right, where the processing is based on Article 6, paragraph 1 point a) or Article 9, paragraph 2, point a), to withdraw consent at any time without prejudice to the lawfulness of the processing based on consent given prior to the withdrawal; The data subject has the right to lodge a complaint with a supervisory authority; the data subject has the right to be informed, by the Data Controller, who must do so promptly unless there are good reasons not to do so, of any violation of personal data that may present a high risk to the rights and freedoms of natural persons (Article 34 EU REG. 679/2016). The full text of the Articles of EU Reg. 679/2016 regarding your rights (Articles 15 to 23 included) can be consulted at any time at the following link on the website of the Italian Data Protection Authority:• http://22.214.171.124/documents/10160/0/Regolamento+UE+2016+679.+Con+riferimenti+ai+considering or, alternatively, will be provided by the Data Controller on request, by writing to the addresses indicated above. I, the undersigned, in my capacity as data subject/customer, having been made aware of the identity of the Data Controller and of the purposes for which the personal data will be processed, give my free and unconditional consent to the processing and sharing of any relevant personal data as described in the above Privacy Statement.If you do not want to receive further messages from us, you can send an email to email@example.com or simply click on the „unsubscribe“ link in the footer of the email you received.