- Authorized, the natural persons authorized to carry out processing operations or under the direct authority of the owner or manager, pursuant to art. 29 of the Regulation and art. 2-quaterdecies of the Code.
- Communication, giving knowledge of Personal Data to one or more specific subjects other than the interested party, the representative of the Data Controller in the territory of the State, the Manager and the Authorized, in any form, including by making them available or consultation.
- Designated, the natural persons to whom specific tasks and functions related to the processing of Personal Data are attributed and who operate under the authority of the Owner or Manager, pursuant to art. 2-quaterdecies of the Code.
- Personal Data or Data, any information relating to a natural person, identified or identifiable and, even indirectly, by reference to any other information, with particular reference to an identifier such as the name, an identification number, location data, an identifier online or to one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity.
- Dissemination, giving knowledge of Personal Data to indeterminate subjects, in any form, including by making them available or consultation.
- Guarantor, the supervisory authority referred to in art. 51 of the Regulation.
- Information orPrivacy Policy, this document.
- Interested, hereinafter also “User“, indicates the natural person who accesses the Site;
- Security Measures, the complex of technical, IT, organizational, logistical and procedural measures adopted by the Data Controller to guarantee an adequate level of security to the risk of the Treatment, pursuant to art. 32 of the Regulation.
- Responsible, the natural or legal person, public authority, service or other body that processes Personal Data on behalf of the Data Controller.
- Site, this website;
- Holder, the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data; when the purposes and means of such Processing are determined by Union or Member State law, the Data Controller or the specific criteria applicable to its designation may be established by Union or Member State law.
- Processing, any operation or set of operations, carried out with or without the aid of automated processes and applied to Personal Data or sets of Personal Data , such as the collection, registration, organization, structuring, conservation, storage adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available , comparison or interconnection, limitation, cancellation or destruction
1. Types of data processed
- Data provided directly by the interested party, understood as those data provided by the interested party for the purpose of requesting information on the services offered by the owner or for the purpose of purchasing the owner’s products (e.g. name, surname, email). The interested party is informed that the provision of the aforementioned data is optional, but that, in the event of failure to provide the same, it will not be possible for the Data Controller to provide the services.
2. Purpose of the Treatment
Purposes | Legal basis | Retention period |
A) The Personal Data referred to in art. 1.1 are processed in order to respond to the User’s request for information | A) The treatments put in place for these purposes are necessary for the fulfillment of contractual obligations or to perform pre-contractual measures requested by the interested party and do not require specific consent from the latter . | 24 months from the request for information |
B) The Data Controller processes the User’s Personal Data pursuant to art. 1.1., In order to manage the purchase orders of the products offered for sale by the Owner himself and, in particular, in order to process the purchases, make deliveries etc. | B) The treatments implemented for these purposes are necessary for the fulfillment of contractual obligations or to carry out pre-contractual measures requested by the interested party and do not require a specific consent from the latter. | 10 years from the date of purchase (expiry of the statutory limitation period) |
C) The Data Controller processes the User’s Personal Data pursuant to art. 1.1., For the purpose of issuing invoices and / or receipts relating to products purchased by the User | C) The treatments implemented for these purposes are necessary for the fulfillment of legal obligations and do not require specific consent from the latter. | 10 years from the date of purchase (expiry of the statutory limitation period) |
D) The Owner may send to the email indicated by the User when purchasing one and / or more products, commercial communications concerning products and / or services similar to those already purchased, without prejudice to the User’s right to object to subsequent submissions. | D) The treatments put in place for these purposes are carried out on the basis of the legitimate interest of the owner consisting of direct marketing activities, in compliance with the conditions set out in art. 130 Legislative Decree 196/2003. | 24 months from the date of the last purchase |
3. Processing methods and categories of Recipients.
- Unless otherwise expressly provided for in this Policy, the interested party is informed that the processing of his personal data is carried out using manual systems and / or IT, telematic or automated systems, in compliance with the principles of relevance, lawfulness, correctness and intended purposes from Normati goes.
- The Data Controller processes the Personal Data of the Data Subject by adopting the appropriate Security Measures aimed at minimizing the risks of unauthorized access, Dissemination, loss and destruction of the aforementioned Data, pursuant to the Regulations.
- The interested party is also informed that the processing of personal data for the fulfillment of the aforementioned purposes may be carried out by the Data Controller directly or by availing itself of the collaboration of other subjects, as Managers, Designated or Authorized (e.g. staff employee and / or collaborators of the Data Controller). In particular, Personal Data could be communicated to the following categories of Managers: (i) Carriers; (ii) E-mail service managers; (iii) Payment service managers (Paypal)
- The list of Managers can be consulted at any time, by request to be sent to the email address indicated in the following art. 7.1.
4. Data transfer
- The interested party is informed that the personal data processed by the owner may be transferred to other countries belonging to the European Union
- The interested party is informed that the personal data processed by the Data Controller may be transferred to other countries outside the European Union, for which an adequacy decision of the Commission exists.
5. Rights of the interested party
◦ The interested party may exercise at any time, by means of a communication to be sent to the addresses referred to in the following art. 6.1, the rights provided by the Regulations pursuant to articles 15-22. In particular:
◦ The interested party has the right to ask the Data Controller for access to Personal Data, pursuant to and within the limits set out in art. 15 of the Regulation.
◦ The interested party has the right to ask the Data Controller to correct inaccurate Personal Data, pursuant to and within the limits set out in art. 16 of the Regulation.
◦ The interested party has the right to ask the Data Controller to delete the Personal Data, pursuant to and within the limits of art. 17 of the Regulation.
◦ The interested party has the right to ask the Data Controller to limit the processing of personal data, pursuant to and within the limits set out in art. 18 of the Regulation.
◦ The interested party has the right to ask the Data Controller to communicate their Personal Data in a structured and readable format by an automatic device, pursuant to and within the limits set out in art. 20 of the Regulation.
◦ The interested party has the right to object to the processing by the Data Controller , pursuant to and within the limits set out in art. 21 of the Regulation.
◦ The interested party has the right to lodge a complaint with a supervisory authority.
◦ The interested party has the right to withdraw consent with reference to those treatments that are based on this legal basis. Pursuant to art. 7, paragraph 3 and art. 13, paragraph 2 lett. c) of the Regulation, the interested party is informed that, in any case, the revocation of consent does not affect the lawfulness of the treatment based on consent before the revocation itself.
◦ The Data Subject is informed that the Personal Data processed by the Data Controller may be transferred to other countries outside the European Union, for which an adequacy decision of the Commission exists.
6. Data Controller
- The Data Controller, pursuant to article 28 of the Code regarding the protection of personal data and art. 4 point 7) of the GDPR is Sistema3 Srl, CF / VAT number 15090331008, in the person of the legal representative pro tempore, with registered office in 00141 Rome (RM), Via Calimno 49, e-mail: info@waltbay.com.