Data protection Notice
GENERAL DATA PROTECTION NOTICE PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 (GDPR)
www.galvanina.com
Last update date: 30 September 2022
With this document La Galvanina S.p.A., data controller of the web site www.galvanina.com and its subdomains (hereinafter only the “Site”), provides information on the Site management with reference to the processing and protection of personal data (“Data”) of the subjects who browse the Site (hereinafter “users” “data subjects”).
This document represents a Notice pursuant to art. 13 of the European Regulation n. 679 of 27 April 2016 (hereinafter “GDPR”) and applies only and exclusively to the Site and does not apply to any other sites or web pages that can be browsed by the user through links or other interactive links that may be activated through the Site. Users are therefore invited to read the information on data processing provided by the controller of each site to which they may be redirected during navigation
This Notice may undergo changes following the introduction of new rules or following changes to the Site, therefore users are invited to periodically visit the “Privacy & Cookies” section of the Site.
This Notice does not exclude that further information on the processing of personal data is given to the data subjects also in different ways, for example by sending specific Notices following the activation or request for a specific service.
1. Identity and contact details of the Data Controller
The personal data Controller for the purposes described in this Notice is La Galvanina S.p.A. (hereinafter also the “Controller” or “Company“), with registered office in Via della Torretta n. 2 – 47923 Rimini (RN) Italy, VAT number. 00142010404.
For all matters relating to the data processing, for the exercise of the rights deriving from the Regulation (on this point, see paragraph 9 below), as well as for any doubt or clarification regarding this Notice, the data subject can contact the Data Controller by sending a registered letter with return receipt to the above address, or a communication to the following e-mail address: privacy@galvanina.com
2. Purpose and legal basis of the processing
PURPOSE. The personal data collected through the Site are processed for the following purposes:
a. to ensure the proper functioning of the web pages and their contents and obtain statistical information on the use of the services;
b. to provide assistance to / contact the user or in any case respond / follow up on requests for information sent by the user by filling in the data collection forms in dedicated areas of the Site (by way of example and not limited to: “contacts” section, etc. .) or asking to use specific services on the Site and manage the activities related to the provision of the requested services.
Whenever the request of the data subject requires a reply from a third party other than the Data Controller (in particular, area agents, resellers or distributors of La Galvanina S.p.A. competent for the territory, outside the EU too), the data provided may be communicated by the Data Controller to the aforementioned subjects who, depending on the case, will process them as independent data controllers or as holders pursuant to art. 28 GDPR, by checking the user’s request directly. It is understood that the communication of data takes place for the sole purpose of providing the user the best service, as to timeliness and relevance of the feedback, taking into account the reasonable expectations of the data subject towards the Controller;
c. direct marketing by the Data Controller: to send to the data subject- by paper mail, e-mail, texts, newsletters, telephone calls with or without operator or other means used by the Data Controller, including automated ones – information material, promotional, commercial and advertising communications or advs concerning events and initiatives of the Data Controller, to carry out market research and surveys on the degree of satisfaction regarding the Data Controller’s services. If while browsing the Site, the user gives consent to the use of profiling cookies (on this point, see the cookie policy in more detail) the Data Controller may send commercial communications, offers, invitations, etc., cut to measure to the profile and / or interests of the individual user (e.g. commercial communications and specific advertising campaigns, dedicated offers based on the user’s profile, etc.);
d. profiling activities by the Data Controller: in order to improve the commercial offer (for example by personalizing commercial communications) and the services offered as well as to elaborate the profile of the users of the Site, analysing their habits and consumption choices, the Data Controller may carry out profiling activities, i.e. electronic processing (by geographical area, activity or profession, age, etc.) of the user’s data in order to identify the user’s preferences and interests in relation to the services of the Data Controller
e. to send newsletters to the user, i.e. communications by e-mail with promotional and advertising content sent to all data subjects who ask for it in the section on the Site
f. to allow the use of the La Galvanina e-shop which can be reached at the following link: https://shop.galvanina.com and the use of related services (e.g. purchase of products): the personal data collected in the E-Shop section, and following the activation of the Personal Account, are processed in order to manage the account; to provide the user with the order history and details on their orders; manage online purchases: to process orders / subscriptions and returns; to manage payments and make refunds; to prevent fraud; to manage product complaints and warranties.
LEGAL BASIS. We also inform you that:
· for the purposes referred to in letter a) above, the legal basis lies in the legitimate interest of the Data Controller (Article 6.1 letter f) GDPR) to guarantee the correct functioning of the Site and its improvement;
· for the purposes referred to in letter b) above, the legal basis lies, as the case may be: in the need to take steps at the request of the data subject prior to entering into a contract; (Article 6.1 letter b) GDPR); in the legitimate interest pursued by the Data Controller (Article 6.1 letter f) GDPR) taking into account the reasonable expectations of the Data Subject in consideration of the relationship with the Data Controller, as indicated in Recital no. 47 of the GDPR (for example, to answer requests from the data subject not aimed at establishing a contractual relationship).
The disclosure of data to any third parties (possible communication; see above point 2 letter b) is based on the consent given by the data subject (Article 6.1 letter a) GDPR);
· for the purposes referred to in letters c), d), and e), data will be processed only after the data subject has given consent (Article 6.1 letter a) GDPR), except for the so-called “soft spam” as described below, for marketing activities by the Data Controller, and profiling through cookies, prior to data subject consent. Data subjects are informed that in Italy the Data Protection Code (Article 130, paragraph 4, Legislative Decree 196/2003 as amended) allows soft spam. This means that without having to acquire the explicit consent of the data subjects, it is possible to use the e-mail address that was provided in a previous purchase, for the purpose of direct sale of services similar to those that the data subject has already purchased from the Data Controller, provided that the data subject does not refuse such use. It is specified that the data subject may refuse this processing at any time by contacting the Data Controller at the addresses referred to in point 1) or by clicking on the appropriate link to object the receipt of unsolicited communications available in advertising e-mails sent by the Data Controller. The personalization of commercial offers (= profiling) could take place, even in the absence of consent given pursuant to the terms described here, where the data subject gave consent to the use, by the Site, of profiling cookies. With reference to the activity of sending newsletters only (letter e), it is specified that consent is acquired when the customer, having read this Notice, accepts to subscribe to the newsletter. The data subject may object at any time to the receipt of newsletters or, in any case, of unsolicited commercial communications by contacting the Data Controller at the addresses referred to in point 1) or by clicking on the appropriate link to object the receipt of unsolicited communications available in advertising e-mails sent by the Data Controller
· for the purpose referred to in letter f), the legal basis is that provided for by art. 6 par. 1 letter b) GDPR: ” processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
3. Nature of data provision
The provision of data for the purposes referred to in letters a) and f) above is optional and yet necessary, respectively: for the correct functionality and use of the Site; for the creation of a personal account and to make purchases on the Site. Any refusal to provide data in relation to the aforementioned purposes will therefore make it impossible to browse the Site, view all its contents and access the related services (e.g. Personal account / E-Shop). The provision of data for the purposes referred to in letter b) is optional; however, any refusal to provide data (or consent, where necessary for the communication of data to third parties) in relation to the aforementioned purpose will make it impossible to process your requests (e.g.: obtain information on products or services, quotes, reservations, etc.). The provision and consent to the processing of your data for the purposes referred to in letters c), d), e) is entirely optional. Any refusal will make it impossible for the Controller to carry out marketing or profiling activities for you or to send you newsletters, while it will not have any negative consequences regarding the purposes referred to in letters a), b) and f).
4. Type of data processed
In order to achieve the aforementioned purposes, the following categories of data will be processed:
· Navigation data: the computer systems and software procedures used to operate the Site acquire, during their normal operation, some data whose transmission is implicit in the use of Internet communication protocols. This type of data is not collected to be associated with identified data subjects, but by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who browse the site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment. These data are used for the sole purpose of obtaining statistical information on the use of the Site and to check its correct functioning. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site or other users, only at the request of the supervisory bodies in charge. The above information may be automatically collected through cookies and other similar technologies. For more information and to customize navigation choices, we invite the user to consult our cookie policy.
· Data provided by the user: identification data (name, surname); contact details (telephone number, e-mail address, etc.); company to which they belong, role; billing and payment data; delivery data (identification data of the recipient and delivery address), data relating to preferences, purchases, orders, etc. Any additional personal data voluntarily provided in the compilation of data collection forms and / or through the voluntary sending of e-mails will be processed according to the principles of correctness, lawfulness and transparency, as well as in compliance with the principle of “minimization”, or by acquiring and processing data limited to what is necessary with respect to the purposes pursued.
5. Processing methods
The processing of your personal data will be carried out using paper and IT tools, in compliance with the provisions on the protection of personal data and, in particular, with the appropriate technical and organizational measures referred to in art. 32.1 GDPR, as well as with the observance of any precautionary measures that guarantee data integrity, confidentiality and availability.
6. Categories of data recipients
Your personal data will not be disseminated, except when required by a law or regulation or by community legislation. The data will be processed, exclusively for the aforementioned purposes, by employees / collaborators, specifically authorized and instructed by the Data Controller pursuant to art. 29 of the GDPR. Where necessary to achieve the purposes referred to in this Notice, the Data may be known by the other companies of the La Galvanina Group, located in the EU and non-EU countries. Your personal data may also be communicated, in close relation to the purposes indicated above, to the following subjects or categories of subjects:
a. subjects and third-party companies that provide services to the Data Controller, such as – by way of example – the management of the information system and telecommunications networks (including e-mail), the development and management of the Site, the sending of commercial communications, logistics services, etc.;
b. agents;
c. local resellers or distributors;
d. firms, companies or professionals for the purpose of support and advice;
e. competent authorities for compliance with legal obligations.
We also inform you that the subjects referred to in letters c) and e) will process your data as independent Data Controllers. In relation to the categories of subjects referred to in letters a), b) and d), however, the Data Controller undertakes to rely exclusively on subjects who provide adequate guarantees regarding data protection, appointing them, where required by current legislation, as Data Holders pursuant to art. 28 GDPR. The list of Data Holders is available from the Data Controller and the data subject is entitled to view it upon request.
7. Transfer of personal data to third countries
The Data may be transferred to countries outside the European Union / EEA area. In particular, the Data may be transferred to other companies of the La Galvanina Group, even outside the EU (e.g. USA). The Data Controller guarantees that any transfer of personal data will take place in full compliance with the conditions set out in Chapter V of the GDPR (articles 44 et seq.), in order to ensure that the level of protection of individuals guaranteed by the GDPR is not compromised. The transfer will therefore take place to countries that for the European Commission can guarantee an adequate level of protection, in accordance with the provisions of art. 44 GDPR or in compliance with specific standard contractual clauses approved by the European Commission pursuant to art. 46 GDPR, provided that the recipient of the data provides adequate guarantees and that the data subjects enjoy enforceable rights and effective remedies. Any exceptions to the above will only take place in compliance with art. 49 GDPR.
8. Data retention
For each processing purpose (see point 2) the data retention period or the criteria to establish it is indicated:
a) the data collected to ensure the functioning of the site are kept for a period of time not exceeding the achievement of the purposes for which the data are collected; with specific reference to cookies, please refer to the cookie policy for more information
b) the personal data collected in order to respond to user requests will be kept for the time necessary to provide the answer and in any case no more than 24 months from the processing of the request;
c) for direct marketing activities, the data will be kept for a period of 24 months from the collection of consent, unless renewed;
d) for profiling activities, the data will be kept for a period of 24 months from the collection of consent, unless renewed;
e) the data processed for the purpose of sending newsletters will be kept until a request for unsubscription is received from the user and, in any case, for a maximum period of 24 months. In this case, we will delete the user’s data from our databases within 72 hours of the unsubscribe request;
f) the data collected on the creation of the user account / registration will be kept for a period of 24 months from registration, except: a) when the registered user makes one or more purchases through the E-Shop of the Site. In this case, the data will be kept for 10 years from the purchase in compliance with the current civil and fiscal legislation in force; b) when, before the expiration of 24 months, a request for cancellation of the account by the data subject is received. The user shall be entitled to request the cancellation of their account at any time. By doing so, the account will cease to exist and the user will be considered inactive. If the account ceases to exist, the Data Controller will not be able to provide the services indicated in paragraph 2, lett. f). Following the cancellation of the account, all personal data will be deleted, unless their retention is necessary for another purpose defined in this Notice or if the retention of said data is required by law (for example for tax purposes in case of purchase of products / services through the E-Shop).
A longer period of retention of personal data may possibly be determined by requests made by the Public Administration or by another judicial, governmental or regulatory body or by the participation of the undersigned Company in judicial procedures involving the processing of data.
9. Rights of the data subject
The data subject shall enjoy the rights that are recognized by the GDPR at any time, in the manner described in paragraph 1 above. Notably, the data subject shall have the following rights:
Right of access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, have access to a copy of such data. If the data subject asks access to the personal data the following information is also given: the purposes of the processing, the categories of personal data concerned and any other details necessary for the data subject to exercise such right.
Right of rectification
The data subject shall have the right to rectify their personal data in case of inaccuracy or incompleteness. Upon request, we will correct inaccurate personal data and, taking into account the purposes of the processing, complete incomplete data.
Right of erasure
The data subject shall have the right to have personal data erased. The cancellation of personal data can only take place in certain cases, listed in Article 17 of the GDPR. This includes situations in which the data subject personal data are no longer necessary in relation to the initial purposes for which they were processed, as well as situations in which they were unlawfully processed. In relation to the way we provide some services, we inform you that it may take some time before the backup copies are deleted. We also inform you that the Data Controller will, within the limits of the state of the art of available technology, delete the personal data of the data subject, except when data retention is required by law.
Right to restriction of processing
The data subject shall have the right to obtain restriction of processing of personal data, that is to say that the controller shall suspend the data subject data processing for a given period. Such right is applicable (pursuant to art.18 of the GDPR) when the accuracy of the personal data is contested, for a period enabling the controller to verity the (in)accuracy of personal data. A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
Right to object
The data subject shall have the right to object to the processing of personal data, meaning that the data subject can ask the controller not to process their personal data for specific purposes (ex. Direct marketing). The data subject shall enjoy such right only under specific circumstances (art. 21 GDPR) and, notably, whenever the legal basis of the data processing is the Data Controller legitimate interest.
Right to data portability
The data subject shall have the right to receive their personal data in a structured, commonly used and machine-readable format and have the personal data transmitted directly from one controller to another, where technically feasible.
Right to withdraw consent
The data subject shall have the right to withdraw consent to the processing of personal data at any time, if the processing is based on their consent (e.g. direct marketing). In any case, the withdrawal of consent does not affect the lawfulness of the processing based on consent before the withdrawal.
10. Right to lodge a complaint with the supervisory authority
The data subject shall have the right to lodge a complaint with the supervisory authority, if they believe that a processing that concerns them violates the GDPR and / or the current legislation on the processing of personal data. We inform you that in Italy this Authority is represented by the Guarantor for the Protection of Personal Data, based in Rome. Data subjects not resident in Italy may lodge a complaint with the Supervisory Authority designated in their country of residence.
11. No automated decision-making
Data subjects under this Notice are not subject to a decision based solely on automated processing.