PRIVACY POLICY
on the processing of personal data
Arts. 12 et seq of Regulation (EU) 2016/679 (GDPR)
FOREWORD
In compliance with the provisions of EU Regulation 2016/679 (hereinafter referred to as GDPR) we hereby provide information
regarding the processing of personal data provided by the data subject, relating to the relationships with the Companies of
Zucchetti Group being Zucchetti Spa and its subsidiaries or associated or investee companies (hereinafter referred to as the
Companies). The information is provided pursuant to art. 13 GDPR.
- IDENTITY AND CONTACT DETAILS
Relating to the different areas in which the processing will be carried out for the purposes of this privacy notice, the Companies
may hold the role of Data Controller pursuant to Article 4 GDPR or of Joint Data Controllers pursuant to Article 26 GDPR.
The list of Joint Data Controllers can be found at the following links (https://www.zucchetti.it/website/cms/societa-del-
gruppo.html / https://www.zucchetti.it/website/cms/zucchetti-mondo.html) and the Joint Data Controllers agreement is
available upon request by the data subject, who may send an email to zprivacy.officer@zucchetti.com.
The Companies can be contacted at the following addresses: via Solferino n. 1 – 26900 Lodi (LO) – Italy, tel: +39 0371/594.1;
email: zprivacy.officer@zucchetti.com.
- CONTACT DETAILS OF THE DATA PROTECTION OFFICER (DPO)
For Group companies which have made such an appointment, the Data Protection Officer is Mr. Mario Brocca, tel. +39 0371/
594.3191, email: dpo@zucchetti.it; certified email: dpogruppozucchetti@gruppozucchetti.it.
For any other designations of Data Protection Officers in relation to the Companies, please contact
zprivacy.officer@zucchetti.com. - PURPOSE OF PROCESSING, LEGAL BASIS AND DATA STORAGE PERIOD
Purpose Types of data that
can be processed: Legal basis Role Group
Companies Storage period*
Purpose
a) Precontractual/contractual
To provide information on products and services marketed, if requested by the data subject; execution of existing contractual relationships.
Types of data that can be processed:
Personal data and contact details; data necessary for the execution of the contractual relationship.
Performance of a contract to which you are a party or pre-contractual measure taken at the request of the data subject; Fulfillment of legal obligations.
Role Group Companies
Storage period*
Data Controller
According to law
Joint Data Controllers
Until withdrawal of consent for such a purpose and / or five years after giving consent.
Joint Data Controllers
Until consent is withdrawn.
Art. 6, paragraph 1 letters b) and c) GDPR. Consent (required with contract or specific request);
b) Direct Marketing Sending advertising material, newsletters, promotional and commercial communications by automated means of contact (email and instant messaging) and traditional means (telephone calls with operator and regular mail), relating to products and/or events and/or training courses in relation to, as well as for conducting market studies, statistical analysis and customer satisfaction surveys.
Personal data contact details.
c) Marketing to existing customers sending communications relating to contracted products/services and/or products/services similar to
Personal data and contact details; data relating to the company you belong to and your position there.
Legal basis
(optional and can be withdrawn at any time). Art. 6, paragraph 1 letter a) GDPR. and
If the data subject has not given the consent for receiving commercial communications by automated means, he/she may still receive them by traditional means, if he/she has not expressed his/her dissent by ordinary means and/or through the Register of Objections. Legitimate interest Art. 6, paragraph 1 letter f) GDPR.
those already agreed (newsletters, webinars, events, training activities). Consent (required with contract or specific request);
d) Indirect marketing Disclosure of data to business partners/third parties so that they can send marketing communications to you.
Personal data contact details.
e) Content collection and publication: generation of case histories and publication on social network sites, in newspapers, magazines and on websites of images, videos, reviews, ratings and other content that the data subject may freely decide to share with the Joint Data Controllers, as well as on any other means of communication used (as provided for each time your consent is requested)
Personal data; images, sounds, company you belong to, professional role and experience, nickname, social network profile
f) and
Personal data and information related to business processes and procedures
g) If necessary, to ascertain, exercise or defend the rights of the Joint Data Controllers in judicial proceedings
Personal data and contact details; data necessary for the execution of the contractual relationship.
h) Registration on Internet Portals
Personal data and contact details, data relating to the company you belong to and your position there.
Purpose of support with purchased products and services
Joint Data Controllers
Until withdrawal of consent for such a purpose and/or five years after the last interaction with the Joint Data Controllers.
Until withdrawal of consent for such a purpose and/or five years after the last interaction with the Joint Data Controllers.
Data Controller
For the time necessary to exercise rights in court.
Joint Data Controllers
Five years from last interaction.
Data Controller
Five years from last interaction.
Art. 6, paragraph 1 letter a) GDPR.
Data collection of tests, questionnaires, surveys aimed at identifying business processes and managing them
i) (optional and can be withdrawn at any time).
Until withdrawal of consent for such a purpose and/or five years after the last interaction with the Joint Data Controllers.
Master data, contact data, personal data depending on the product/service contracted
Consent (optional and can be withdrawn at any time).
Art. 6, paragraph 1 letter a)
GDPR.
Consent (optional and can be withdrawn at any time). Art. 6, paragraph 1 letter a) GDPR.
Legitimate interest (judicial protection).
Art. 6, paragraph 1 letter f)
GDPR.
Express consent.
Execution of a contract to which you are a party (to resolve anomalies and malfunctions); Legitimate interest (for analysis aimed at improving service).
*After deletion, data may be retained for an additional period of up to one year, depending on backup storage policies.
- OBLIGATORY NATURE OF PROVISION OF DATA
The data subject must provide necessary data for carrying out the contractual relationship to the Companies, as well as the data
necessary to fulfil the obligations provided for by laws, regulations, community standards, and by provisions of Authorities
legitimated by law and by supervisory and control bodies (referred to in purposes a) and f) above).
Data that are not essential for the performance of the contractual relationship are qualified and considered supplementary and
their provision by the data subject, if requested, is optional and subject to consent. Consent provided may be withdrawn by the
data subject at any time by sending an email to the address: ufficio.privacy@zucchetti.it. Such withdrawal shall in no way affect
the lawfulness of processing based on the consents given prior to withdrawal of consent.
- PROCESSING METHODS
Personal data will be recorded, processed and stored in the Companies’ archive, paper and electronic, in compliance with the
appropriate technical and organizational measures referred to in Art. 32 of the GDPR. The processing of the data subject personal
data may consist of any operation or set of operations described in Art. 4, paragraph 1, point 2 of the GDPR.
Personal data will be processed using suitable tools and procedures that guarantee security and confidentiality. Such processing
may be carried out directly and/or via delegated third parties, both manually using hard-copy support and electronically using IT
equipment and other instruments. In order to manage properly the relationship and fulfilment of legal obligations, personal data
may be entered in the internal documentation of the Companies and, if necessary, in the documents and registers required by
law.
Your data may be processed by the employees of the company departments of the Companies assigned to the pursuit of the
above-mentioned purposes. These employees have been expressly authorized to process the data and have received adequate
operating instructions pursuant to and for the purposes of Art. 29 GDPR. - CATEGORIES OF RECIPIENTS OF PERSONAL DATA
The data may be communicated and processed by external parties operating as autonomous data controllers under Articles 4
and 24 GDPR such as, for example, authorities and supervisory and control bodies and in general public or private subjects
entitled to request the data and / or subjects operating as data processors under Art. 28 GDPR), such as consulting firms and /
or professional firms, and / or legal and tax professionals and insurance companies.
The data may also be disclosed to the Companies’ business partners for the performance of services related to the execution of
the contract or for carrying out commercial actions by the same, subject to your express consent. - DATA TRANSFER TO COUNTRIES OUTSIDE THE EU
The data provided by the data subject will only be processed countries within the European Union. If the personal data of the
data subjects are processed in a country outside of the EU, the data subject’s rights under EU legislation will be guaranteed and
the data subject will be notified on a timely basis. - RIGHTS OF THE DATA SUBJECT
Pursuant to Articles 15 et seq of the GDPR, the data subject may exercise the following rights:
a. access: to obtain confirmation of whether or not the personal data of the data subject are being processed and the right to
access them; requests that are manifestly unfounded, excessive or repetitive cannot be answered;
b. rectification: to correct/obtain the correction of personal data if incorrect or outdated and to complete data if incomplete;
c. erasure/to be forgotten: in some cases, to obtain the erasure of the personal data provided; this is not an absolute right, as
the Companies may have legitimate or legal reasons to store them;
d. limitation: the data will be stored, but cannot be processed further, in the cases foreseen by the regulation;
e. portability: to move, copy or transfer data from the Companies’ databases to third parties. This applies only to data provided
by the data subject for the performance of a contract or for which express consent has been given and the processing is
carried out by automated means;
f. objection to direct marketing;
g. withdraw of the consent at any time if processing is based on consent.
Pursuant to Art. 2-undicies of Legislative Decree 196/2003, the exercise of data subjects rights may be delayed, restricted or
excluded, following justification provided without delay, unless this might compromise the purpose of the restriction, for as
long as and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental
rights and legitimate interests of the data subject, in order to safeguard the interests referred to in paragraph 1, letters a)
(protected interests with regard to money laundering), e) (for the conduct of defensive investigations or the exercise of a right
in court) and f) (for the confidentiality of the identity of the employee who reports offenses he becomes aware of on his duties).
In such cases, data subjects’ rights may also be exercised through the Personal Data Protection Authority in the manner referred
to in Article 160 of said Decree. In such case, the Personal Data Protection Authority will inform the data subject that it has
carried out all the necessary checks or that it has carried out a review, as well as of the data subject right to take legal action.
It should also be noted that – before processing the requests – the Companies may ascertain the identity of the data subject, in
order to evaluate the legitimacy of the same.
To exercise such rights, the data subject may contact the Joint Data Controllers or the Data Controller relating to the areas as
defined above at zprivacy.officer@zucchetti.com or call +39 0371/594.3191 or write to the Zucchetti Privacy Office, Via
Solferino 1 – 26900 Lodi (LO) – Italy.
The Companies will respond within 30 days of receiving the data subject formal request.
If the abovementioned rights concerning data subject personal data are infringed, the latest may complain to the competent
authority.
THE COMPANIES OF
ZUCCHETTI GROUP