Subject-matter: Policy for the processing of personal data in accordance with Art. 13 Reg. 2016/679/EU
This is to inform you that your personal data is processed by our company. The processing is carried out in compliance with the criteria provided by the European regulation on the protection of personal data, Reg. 2016/679/EU, in force since 25 May 2018 (hereinafter GDPR). According to the aforementioned regulation, the processing must be based on principles of lawfulness, fairness and transparency, aimed at protecting your privacy and your rights.
- Ownership: Pentax Industries SpA in the person of its pro tempore legal representative, with registered offices in Viale dell’Industria 1 – 37040 Veronella (VR) Italy. Telephone: +39 0442489500 Fax: +39 0442489510 Email: firstname.lastname@example.org
- Legal basis and purpose: the personal data processed by the Data Controller includes: Name, surname, email and phone number.
The personal data and particular data categories are collected for the following purposes and in accordance with the specific legal bases:
a. The execution of a contract or of pre-contractual measures (art. 6, par. 1, letter b), GDPR), specifically:
- Distribution of and technical assistance relating to the subscribed services.
b. Compliance with legal obligations binding upon the Data Controller (art. 6, par. 1, letter C), GDPR), specifically:
- Compliance with obligations in relation to tax or accounting laws arising from the relationship with you;
- Compliance with obligations provided by law, regulations, European legislation or supervisory authorities, and for the management of business relationships to the extent necessary to best perform the service requested;
- Communication of your data to the judicial authorities if so required.
c. Sending of commercial communications relating to services similar to those included in previous sales between the parties, through newsletters which do not require any consent, also known as Soft-spam, (art. 130, par. 4, Legislative Decree 196/2003).
d. Legitimate interest of the Data Controller (art. 6, par. 1, letter f), GDPR) in the case of: protection of company assets, security and organisational structure.
For the purposes referred to in points a), b) and e) data provision is required; the data is collected without your express consent. Otherwise the Data Controller will not proceed with the execution of the contract or the completion of the pre-contractual negotiations. For the purposes referred to in point c) data provision is optional; if you do not give your explicit consent, the Controller may send the communications as long as you do not object to such processing.
However, it is possible that the Controller may be asked to clarify the specific legal grounds for any processing and to specify in particular whether the processing is based on law, provided by a contract, legitimate interest or required for the conclusion of a contract. The User may obtain further information on the legitimate interest pursued by the Controller in the relevant sections of this document or by contacting the Controller at: email@example.com
- Methods: The personal data is processed, including with the help of automated tools, by the Controller and duly appointed Processors for the proper fulfilment of the purposes stated in point 2) through electronic tools and paper records and with the use of suitable security measures to ensure the confidentiality of personal data and to prevent undue access by unauthorised persons.
- Communication: The Data is processed at the operational venues of the Controller and in any other place where the parties involved in the processing are located. For further details, please contact the Controller. The accounting/tax data may be disclosed to duly appointed external entities that carry out activities on behalf of the Data Controller, such as but not limited to: accountants, banks and related external professionals. The data covered by the service will be transferred to the IT partners chosen to fulfil the service subject to the contract. Said partners will guarantee the same level of technical/organisational/IT/legal protection guaranteed by the Data Controller. Communication is not provided to third countries outside the EU, nor is there any dissemination (e.g. social networks, websites etc.). The personal data subject to the processing may be transferred to affiliated companies of Pentax Industries Spa, solely for the purpose of delivering the service and providing sufficient guarantees to implement appropriate technical and organisational measures in order that the processing meets the security requirements provided by this agreement and by the GDPR.
- Retention period: With regard to the purposes stated in point 2 above, the Controller will retain the personal data:
a) for 10 years from the termination of the business or contractual relationship;
b) for the time indicated by applicable regulations;
c) until you object to the processing. The Data Subject may, at any time and at no charge, stop receiving these communications by writing firstname.lastname@example.org, without prejudice to the lawfulness of the processing in the period before the communication. In case of withdrawal, the Controller shall not send any further communications;
d) for the time strictly necessary to fulfil such purposes.
- The Data Subject has the right to ask the Data Controller for access to their personal data or for its rectification or erasure or restriction of processing of the data concerning them, or has the right to object to the processing, in addition to the right to data portability or to withdraw their consent, as specified in Articles 15-21 GDPR. The request may be made by email or registered letter, using the company form with the subject: “Request from a data subject”, specifying in the request the right which the data subject wishes to exercise (erasure, rectification, portability, right to be forgotten) together with a valid email/PEC certified email address to which the Controller may reply. The Controller, or anyone appointed by the Controller, will meet the request within 30 days from receiving it. If the reply is complex, the time required could be extended by another 30 days, subject to prompt notification of this to the data subject. If you feel you need to have your rights upheld, you can lodge a complaint with the relevant supervisory authority, i.e. the Italian Data Protection Authority, whose offices are in Piazza Venezia 11, Rome.