Privacy Policy

PRIVACY POLICY

Articles 12 et seq. of Regulation (EU) 2016/679 (GDPR)

 

INTRODUCTION

In compliance with the provisions of Regulation (EU) 2016/679 (hereinafter the GDPR), we provide below information regarding the processing of personal data supplied by the data subject in connection with relationships with the Companies of the Zucchetti Group, meaning Zucchetti S.p.A. and the companies controlled by, affiliated with, or invested in by this company, as well as the companies controlling it (hereinafter the Companies). This privacy notice is provided pursuant to Article 13 of the GDPR.

1. IDENTITY AND CONTACT INFORMATION

Depending on the different areas in which the processing is carried out for the purposes of this privacy notice, the Companies may act as Data Controller pursuant to Article 4 of the GDPR or as Joint Controllers pursuant to Article 26 of the GDPR.

The list of the Companies acting as Joint Controllers is available at the following links:

(https://www.zucchetti.it/website/cms/societa-del-gruppo.html)

and the joint controllership agreement is made available upon request by the data subject, who may send an email to ufficio.privacy@zucchetti.it.

The Companies may be contacted at the following addresses: Piazza Mino Zucchetti no. 1 – 26900 Lodi (LO), tel.: 0371/5941; email: ufficio.privacy@zucchetti.it.

 

2. CONTACT DETAILS OF THE DATA PROTECTION OFFICER (DPO)

For the Group companies that have made the appointment, the Data Protection Officer is ZHolding S.p.A., in the person of Dr. Mario Brocca, tel. 0371/5943191, email: dpo@zucchetti.it; certified email: dpogruppozucchetti@gruppozucchetti.it.

For any other appointments of Data Protection Officers relating to the Companies, further clarification may be requested by contacting ufficio.privacy@zucchetti.it.

 

3. PURPOSE OF PROCESSING, LEGAL BASIS AND DATA STORAGE PERIOD

 

Purpose	Type of data processed	Legal Basis	Role Group Company	Storage period
a) Pre-contractual/contractual Providing information on marketed products and services, where requested by the data subject;performance of existing contractual relationships.	Personal identification data and contact details; data necessary for the performance of the contractual relationship.	Performance of a contract to which you are a party or pre-contractual measures taken at the request of the data subject; compliance with legal obligations. Art. 6(1)(b) and (c) GDPR.	Data controller	In accordance with legal provisions.
(b) Direct marketing Sending, through automated contact methods (email and instant messaging) and traditional methods (operator-assisted phone calls and ordinary mail), advertising material, newsletters, promotional and commercial communications relating to products and/or events and/or training courses, as well as carrying out market research, statistical analyses, and customer satisfaction surveys.	Personal identification data and contact details.	Consent requested through the contract or a specific request; optional and revocable at any time. Art. 6(1)(a) GDPR. If the data subject has not given consent to receive commercial communications through automated methods, they may still receive them through traditional methods, unless they have objected through ordinary channels and/or the Public Register of Objections.	Joint controllers	Until consent is withdrawn for this purpose and/or five years have elapsed from the expression of consent.
c) Marketing to existing customers Sending communications relating to contracted products/services and/or products/services similar to those already contracted, such as newsletters, webinars, events, and training activities.	Personal identification data and contact details; data relating to the company to which the data subject belongs and the role held.	Legitimate interest. Art. 6(1)(f) GDPR.	Joint controllers	Until consent is withdrawn
(d) Indirect marketing Disclosure of data to commercial partners/third parties so that they may send you marketing communications.	Personal identification data and contact details.	Consent requested through the contract or a specific request; optional and revocable at any time. Art. 6(1)(a) GDPR.	Joint controllers	Until consent is withdrawn for this purpose and/or five years have elapsed since the last interaction with the Joint Controllers.
(e) collection and publication of contents: Creation of case histories and publication on social media, newspapers, magazines, and websites of images, videos, reviews, evaluations, and other content that the data subject may freely decide to share with the Joint Controllers, as well as on any other communication channels used, as provided for in the individual consents requested from time to time.	Personal identification data; images, sounds, company of affiliation, role and professional experience, nickname, social network profile.	Consent (optional and revocable at any time) Art. 6 Co. 1(a) GDPR	Joint controller	Until consent is withdrawn for this purpose and/or five years have elapsed since the last interaction with the Joint Controllers.
f) Collection of data from tests, questionnaires, and surveys aimed at identifying and managing business processes	Personal identification data and information relating to business processes and procedures.	Consent, optional and revocable at any time. Art. 6(1)(a) GDPR.	Joint Controller	Until consent is withdrawn for this purpose and/or five years have elapsed since the last interaction with the Joint Controllers.
g) Where necessary, to establish, exercise, or defend the rights of the Joint Controllers in legal proceedings.	Personal identification data and contact details; data relating to the performance of the contract.	Legitimate interest, namely legal defence. Art. 6(1)(f) GDPR.	Data Controller	For the time necessary to exercise rights in legal proceedings.
(h) Registration on internet portals.	Personal identification data and contact details; data relating to the company to which the data subject belongs and the job position held.	Explicit consent	Joint Controller	Five years from the last interaction.
i) Assistance purposes for purchased products and services.	Personal identification data, contact details, and personal data depending on the contracted product/service.	Performance of a contract to which you are a party, for the resolution of anomalies and malfunctions. Legitimate interest, for analyses aimed at improving the service.	Data Controller	Five years from the last interaction.

*Upon deletion, the data may be retained for an additional period of up to one year, in accordance with the backup retention policies of the companies’ information systems.

MANDATORY PROVISION OF DATA

The data subject must provide the Companies with the data necessary for the performance of the contractual relationship, as well as the data necessary to comply with obligations laid down by laws, regulations, EU legislation, or provisions issued by Authorities legally entitled to do so and by supervisory and control bodies, as referred to in purposes a) and f) above.

Data that are not essential for the performance of the contractual relationship are classified and considered supplementary, and their provision by the data subject, where requested, is optional and subject to consent. The consent provided may be withdrawn by the data subject at any time by sending an email to: ufficio.privacy@zucchetti.it. Such withdrawal shall in no way affect the lawfulness of processing based on the consent given before its withdrawal.

METHODS OF PROCESSING

Personal data will be recorded, processed, and stored in the Companies’ paper and electronic archives, in compliance with the appropriate technical and organisational measures referred to in Article 32 of the GDPR. The processing of the data subject’s personal data may consist of any operation or set of operations among those indicated in Article 4(1)(2) of the GDPR.

The processing of personal data will take place through the use of tools and procedures suitable to ensure their security and confidentiality and may be carried out, directly and/or through delegated third parties, both manually using paper-based media and with the aid of IT means or electronic tools. For the purposes of proper management of the relationship and compliance with legal obligations, the data may be included in the Companies’ internal documentation and, where necessary, also in the accounting records and registers required by law.

The data subject’s personal data may be processed by employees of the Companies’ business functions responsible for pursuing the purposes indicated above. These employees have been expressly authorised to process the data and have received appropriate operating instructions pursuant to and for the purposes of Article 29 of the GDPR.

CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The data subject’s personal data may be disclosed to and processed by external parties acting as independent controllers pursuant to Articles 4 and 24 of the GDPR, such as, by way of example, authorities and supervisory and control bodies and, in general, public or private entities entitled to request the data, and/or to parties acting as Processors pursuant to Article 28 of the GDPR, such as, by way of example, consulting companies and/or professional firms and/or professionals, including legal and tax advisers and insurance companies.

The data may also be disclosed by the Companies to their commercial partners/dealers for the performance of activities connected with the execution of the contract or for the carrying out, by those partners/dealers, of commercial activities.

The list of partners to whom the data may be disclosed is available at the following link: https://www.longwave.it/chi-siamo/partner.

Finally, the data may be disclosed to third-party Processors for the development of Artificial Intelligence systems aimed at improving services and products.

TRANSFER OF DATA TO NON-EU COUNTRIES

The data provided by the data subject will be processed only in countries located within the European Union. If the data subject’s personal data are processed in a country outside the EU, the rights granted to the data subject by EU legislation will be guaranteed and the data subject will be promptly informed.

RIGHTS OF THE DATA SUBJECT

Pursuant to Articles 15 et seq. of the GDPR, the data subject may exercise the following rights:

1. access: confirmation as to whether or not the data subject’s personal data are being processed and the right to access such data; requests that are manifestly unfounded, excessive, or repetitive cannot be answered;
2. rectification: to correct/obtain the correction of personal data if inaccurate or outdated, and to have them completed if incomplete;
3. erasure/right to be forgotten: to obtain, in certain cases, the erasure of the personal data provided; this is not an absolute right, as the Companies may have legitimate or legal grounds for retaining them;
4. restriction: the data will be stored but may not be processed or further handled in the cases provided for by law;
5. portability: to move, copy, or transfer the data from the Companies’ databases to third parties. This applies only to data provided by the data subject for the performance of a contract or for which explicit consent has been given, and where the processing is carried out by automated means;
6. objection to direct marketing;
7. withdrawal of consent at any time, where the processing is based on consent.

Pursuant to Article 2-undecies of Italian Legislative Decree No. 196/2003, the exercise of the data subject’s rights may be delayed, restricted, or excluded, with a reasoned communication provided without delay, unless such communication may compromise the purpose of the restriction, for the time and within the limits in which this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard the interests referred to in paragraph 1, letters a) interests protected in relation to anti-money laundering, e) the conduct of defensive investigations or the exercise of a right in legal proceedings, and f) the confidentiality of the identity of the employee reporting unlawful conduct of which they became aware by reason of their office. In such cases, the data subject’s rights may also be exercised through the Italian Data Protection Authority, according to the procedures set out in Article 160 of the same Decree. In that case, the Authority will inform the data subject that all necessary checks have been carried out or that a review has been performed, as well as of the data subject’s right to seek judicial remedy.

It is also specified that, before fulfilling requests, the Companies may verify the identity of the data subject in order to assess the legitimacy of the request received.

To exercise these rights, the data subject may contact the Companies acting as Joint Controllers or independent Controllers, depending on the areas defined above, at ufficio.privacy@zucchetti.it, or by calling 0371/594.3191, or by sending a letter to Ufficio Privacy Zucchetti, Piazza Mino Zucchetti no. 1 – 26900 Lodi.

The Companies will respond within 30 days of receiving the formal request sent by the data subject.

Please note that, in the event of a personal data breach affecting the data subject, the data subject may lodge a complaint with the competent authority:  “Data Protection Authority.”