Relating to processing of personal data pursuant to Article 13, Regulation (EU), n. 2016/679
The present Regulation is based on the principles of lawfulness, fairness and transparency and all the elements required pursuant to article 13 of the Regulation (Provisions) and of every rules applicable relating to the processing of personal data and intends to provide, in a clear and plain manner, all the useful and necessary information in order to allow you to provide your personal data in a conscious and informed way and, at any moment, request and obtain clarifications and/or rectifications.
Pursuant to Article 4, clause 1 of the Regulation, ‘personal data’ means “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (personal data).
The Regulation states that, before moving to process personal data, the person to which the personal data belong must be informed regarding the reasons why such data are required and how they will be used.
Article 4, clause 2) of the Regulation says that “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (‘Processing’).
The Controller is Food S.r.l., legally based in via Mazzini n. 6, 43121 Parma (‘Controller’) who can be reached by email at firstname.lastname@example.org for information related to the Processing of Data.
The Controller will be accompanied by Food Labs S.r.l. (‘Joint Controller’) which will act as Joint Controller pursuant to Article 26 of the Regulation.
The Joint Controllers have signed an arrangement between them pursuant to article 26 of the Regulation, in which they committed to:
- Jointly determine the purposes and means of processing your personal data;
- Determine their respective responsibilities for compliance with the obligations pursuant to this Regulation, in particular as regards the exercising of the rights of the data and their respective duties to provide the information referred to in Articles 13 and 14;
- Jointly determine, in a plain and transparent manner, the procedure to provide you with a timely feedback in case you decide to exercise your rights, pursuant to Articles 15, 16, 17, 18 and 21 of the Regulation, as well as in cases of personal data portability under article 20 of the Regulation.
- Categories of Data
Data processed by the Controller include: (a) personal data (first name, last name, age, gender), contacts (telephone number, email address, username, company, job title); banking and/or payment data.
- Purposes and lawful basis. Legitimate interest.
The Controller, for the purposes of allowing your registration with the Site and/or sending request for information via contact forms and/or subscribing to the newsletter service or other services, may need to collect some of your Personal Data, as required in the registration form. The internet websites for which the current information is released are available at this link.
Your data will be processed for the purposes of direct marketing, such as promotional activities and/or marketing carried out by the Joint Controllers to allow you to receive newsletters, access your profile, participate in the initiatives promoted through the Internet Sites, send requests for information ad access all the services offered by each of the Internet Sites with which you have registered.
The lawfulness of processing is the legitimate interest pursued by the Joint Controllers for direct marketing activities. Data will also be processed to comply with administrative purposes as prescribed by law, pursuant to Article 6, clause 1, letter b) and c) of GDPR. Regarding the purposes of direct marketing, pursuant to article 6, clause 1, letter f) of the Regulation, the Joint Controllers may carry out such activities based on their legitimate interest, independently from your consent except when you oppose such processing as indicated in article 47, where it says that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest,” also following assessments carried out by the Joint Controllers regarding the eventual and possible predominance of your fundamental interests, rights and freedom requiring the protection of Personal Data over their legitimate interest to send communications of direct marketing.
In order to allow the Controller to undertake the activities of Processing for the aforementioned purposes, it will be necessary to provide Personal Data marked as mandatory.
The Controller, along with the Joint Controllers may ask you, in addition to the data above, additional Personal Data such as, for example, data related to consumption preferences, personal preferences, behaviors for a) the purpose of indirect marketing (or the intention of Joint Controllers to undertake promotional and/or marketing activities on behalf of a third party) or b) profiling purposes (meaning the intention of Joint Controllers to profile you with regard to your taste, personal preference and consumption behavior, including for statistical or research purposes).
The Processing of your Personal Data for the purposes indicated under (a) and (b) cannot be carried out without a freely given, specific, informed and unambiguous consent in compliance with the conditions stated in Article 7 of the Regulation.
- Terms of Processing
Your Data are collected and recorded in a lawful and correct way for the purposes above indicated and are processed also by electronic and automated means (including the registration and organization in database), in compliance with the GDPR with regard to security measures, and, in any case, in such way to ensure the safety and privacy of such Data.
- Recipients or categories of recipients
The Data may be made accessible, brought to the attention of or communicated to the following subjects, which will be appointed by the Controller, as appropriate, as responsible – whose list is available at the headquarters of the Controller – or assigned:
– employees and / or collaborators to any title of the Controller;
– public or private subjects, natural or legal persons, of which the Controller makes use to carry out the activities instrumental to the achievement of the aforementioned purpose or to which the Controller is obliged to communicate the Data pursuant to legal or contractual obligations.
In any case, the Data will not be disclosed.
- Storage Period
Your Personal Data will be processed for the time strictly necessary for the pursuit of the purposes indicated in this Notice or until you communicate, in one of the methods provided for in this Notice, your desire to revoke consent to one or all of the purposes for which you have been asked for and will in any case be kept for a period of time not exceeding 10 (ten) years for administrative purposes.
- Transfer of data abroad
Your Personal Data will be processed by the Controller and/or by the Joint Controllers within the European Union.
If for technical and/or operational reasons it is necessary to make use of subjects located outside the European Union, these subjects will be appointed as Processors pursuant to and for the purposes of article 28 of the Regulation and the transfer of your Personal Data to such subjects will be regulated in accordance with the provisions of Chapter V of the Regulation.
- Rights of Access, erasure, restriction and portability
The Controller informs you that you have the rights pursuant to Articles 15 to Article 20 of GDPR.
For example, by sending a specific request to the email address email@example.com, you shall have the right to:
– obtain confirmation that personal data concerning you are being processed;
– if a processing is in progress, obtain access to the data and information related to the treatment, and request a copy of the data;
– obtain the correction of inaccurate data and the integration of incomplete personal data;
– obtain, if one of the conditions foreseen by Article 17 of the GDPR, the erasure of the Data concerning you;
– obtain, in the cases provided for by Article 18 of the GDPR, the restriction of the processing of data concerning you;
– receive the data that concerns you in a structured format, commonly used and readable by automatic device and request their transmission to another Controller, if technically feasible.
- Right to object
Pursuant to art. 21 of the GDPR, you shall also have the right to object at any time to processing of your Personal Data carried out for the pursuit of the legitimate interest of the Controller by writing to the email address firstname.lastname@example.org. In the event of objection, the Data will no longer be processed, provided that there are no legitimate reasons to proceed with processing that prevail over the interests, rights and freedoms of the data subjects, or for the assessment, exercise or defense of a right in court.
- Right to lodge a complaint with a supervisory authority
The Controller also informs you that you shall have the right to lodge a complaint with the Authority for the Protection of Personal Data (Garante per la Protezione dei Dati Personali) if you believe that your rights under the GDPR or any applicable regulation have been breached, according to the procedures indicated on the website of the Authority for the Protection of Personal Data at: www.garanteprivacy.it.