Privacy and Cookie Policy

PRIVACY NOTICE FOR CUSTOMERS AND SUPPLIERS

1. Notice pursuant to Article 13 of (EU) Regulation 2016/679 (“GDPR”) Dear Sirs,

We are informing you that (EU) Regulation 2016/679 (the GDPR) provides for the protection of individuals with respect to the processing of personal data. In compliance with the law indicated, this processing will be based on the principles of correctness, lawfulness and transparency, protecting your privacy and your rights. Pursuant to article 13 of the aforementioned Regulation, we therefore provide you with the following information.

2. Personal data processed, source of the Data, purpose of the Data processing, legal basis of the processing and retention period

By “Data” we mean those relating to natural persons processed by GILARDI SRL for the stipulation and execution of the contractual relationship with its customers/suppliers, such as for example those of the legal representative of the customer/supplier who signs the contract in the name of and on behalf of the latter, of the customer/supplier’s employees/consultants involved in the activities referred to in the contract, possibly the data of the companies in the customer/supplier’s group for which the latter signs the contract with the necessary powers of representation, as well as any other information necessary for the execution of the contract.

The source from which the Data comes is the customer/supplier.

In particular, said Data will be processed for the purposes indicated below.

3. Management of the contractual/business relationship, such as: satisfaction of specific requests of the interested party before the conclusion of the contract; conclusion, modifications, execution of the contract; provision and management of related services (activities for installation, activation, migration, maintenance and/or assistance); claims management.

The legal basis of the processing is:

the execution of the contract, for the Data of the legal representative of the supplier/customer;

the legitimate interest for the Data of the supplier/customer’s employees/consultants involved in the activities referred to in the contract.

Data retention period: duration of the contract and, after its termination, for a further 10 years. In the case of judicial litigation, for the entire duration of it, until the deadlines for appeals have elapsed.

4. Administrative – accounting, such as: invoicing; management of payments, delays and non-payments; management of Data for internal organisational, administrative, financial and accounting purposes functional to the aforementioned activities.

The legal basis of the processing is the need to fulfill a legal obligation to which GILARDI SRL is subject.

Data retention period: duration of the contract and, after its termination, for a further 10 years. In the case of judicial litigation, for the entire duration of it, until the deadlines for appeals have elapsed.

5. Fulfilment of obligations or exercise of rights provided for by national or European Union law or by collective agreements in accordance with national law, such as: fulfilment of obligations established by community and national regulations, in particular by laws, regulations, including contingent and urgent measures for the protection of public order, the detection and repression of crimes

The legal basis of the processing is the need to fulfill a legal obligation to which the data controller is subject.

Data retention period: duration of the contract and, after its termination, for a further 10 years. In the case of judicial litigation, for the entire duration of it, until the deadlines for appeals have elapsed.

6. Extrajudicial debt collection (in the case of customers), such as: protection and possible recovery of credit, can be conducted directly or through third parties (credit collection agencies/companies) to whom they will be communicated for this purpose only.

The legal basis of the processing is legitimate interest.

Data retention period: duration of the contract and, after its termination, for a further 10 years. In the case of judicial litigation, for the entire duration of it, until the deadlines for appeals have elapsed.

7. If necessary, to ascertain, exercise and/or defend rights in court

The legal basis of the processing is legitimate interest.

Data retention period: duration of the contract and, after its termination, for a further 10 years. In the case of judicial litigation, for the entire duration of it, until the deadlines for appeals have elapsed.

8. Registration on websites

In the event that the customer requests it, his/her Personal Data will be processed to attribute the identification codes necessary to allow registration on the site and use the services reserved for registered users. The identification codes assigned to the customer are necessary to access the reserved area of the site and use the services reserved for registered users.

The legal basis of the processing is the execution of the contract of which the interested party is a party.

Data retention period: until the interested party requests to cancel his/her subscription to the service. G. Safety, pursuant to Legislative Decree. 81/2008

With particular reference to the identification data freely provided by the guest/visitor at our offices (name, surname, institution or company to which they belong), the processing has the exclusive purpose of guaranteeing compliance with the company’s formally-applied safety procedures, even in force of current regulatory provisions (e.g. annotation in the visitor register/database, assignment of temporary recognition badges, application of legal obligations regarding safety at work).

The legal basis of the processing: The necessity to fulfil legal obligations to which the controller is subject.

Data retention period: The Data will be retained for the period of time required by law.

Once the retention terms indicated above have expired, the Data will be destroyed or made anonymous, compatible with the technical cancellation and backup procedures.

9. Scope of communication: subjects authorised to process and transfer Data to countries outside the European Union.

The Data may be communicated to external parties operating as data controllers, such as supervisory and control authorities and bodies and general public or private entities entitled to request the Data (e.g., banks and credit institutions, Public Administrations, and other public authorities).

The Data may be processed on behalf of the controller by external parties designated as data controllers, who carry out specific activities on behalf of the controller.

The Data may be processed by employees of the company who are responsible for pursuing the purposes indicated above, who have been expressly authorised for processing and who have received adequate operating instructions.

As a rule, no personal data of the interested party will be transferred to a third country outside the European Union or to International Organisations. If this becomes necessary for the realisation of the object of the contract stipulated or already in place with the controller and, more generally, for the purposes referred to in this notice, the controller undertakes to ensure that any transfer takes place in compliance with the provisions referred to in articles 45 (on the basis of an adequacy decision by the Commission) and 46 (on the basis of the existence of adequate guarantees), if applicable, or in any case pursuant to art. 49 of the Regulation.

10. Provision of Data

The provision of Data by the customer/supplier is optional; however, any refusal to provide such Data could result in the failure or only partial execution of the contract/service.

11. Data controller

The Data Controller is GILARDI SRL, with headquarters in GASSINO TORINESE (TO), strada Chivasso no. 89, Tax Code and VAT no. 00597930015, telephone number 011 9606474, email: gilardi@gilardilegnami.it 89

12. Rights of the interested party

By contacting the Data Controller via email at gilardi@gilardilegnami.it, the interested party can ask GILARDI SRL for access to the Data concerning him/her, their cancellation, the rectification of inaccurate Data, the integration of incomplete Data, the deletion of the Data, and the limitation of processing in the cases provided for by art. 18 GDPR, as well as objecting, for reasons related to his/her particular situation, to the processing carried out for the controller’s legitimate interest.

Furthermore, in the event that the processing is based on consent or contract and is carried out via automated tools, the interested party has the right to receive the Data in a structured, commonly used and machine-readable format, as well as, if technically

feasible, to transmit them to another controller without impediments.

The interested party has the right to lodge a complaint with the competent Supervisory Authority in the Member State where he/she habitually resides or works or in the State where the alleged violation occurred.

13. Changes to the privacy policy

The Owner reserves the right to change this notice at any time, appropriately communicating any changes to site users. To view any changes made, the user is invited to consult this notice regularly, which, in any case, indicates the date of the last update.

COOKIE POLICY

Types of Data collected

Navigation Data

The computer systems and software procedures used to operate this website acquire some personal data during their normal operation, whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties but could, by its very nature, allow users to be identified through processing and association with data held by third parties.

This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used for submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment.

Browsing data will be collected exclusively to allow the user to use the contents published on the Owner’s websites and their correct administration and management. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning and are deleted immediately after processing.

Cookies

Cookies are small text files that the sites visited send to the User’s terminal, where they are stored, and then re-transmitted to the same sites on the next visit.

For more detailed information, please refer to the specific Cookie Policy on the site.

Data provided voluntarily by the user

The optional, explicit and voluntary sending of emails to the company addresses indicated on this site involves, by its very nature, the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the message. The legal basis of the processing is, therefore, the Data Controller’s legitimate interest to respond to communications received or the need to process pre-contractual requests made by the interested party. The data will be kept for the time necessary to satisfy any requests from the sender or questions submitted to the Data Controller and, in any case, for the time imposed by specific legal provisions. However, it should be remembered that the sender has the right to request the cancellation of said data according to the methods, conditions and limits established by art. 17 of the GDPR.

We invite our users not to send names or other personal data of third parties in their communications that are not strictly necessary.

Processing methods

The Data Controller adopts appropriate security measures aimed at preventing unauthorised access, disclosure, modification or destruction of Personal Data.
The processing is carried out using IT and/or telematic tools, and organisational methods, and with logic strictly related to the purposes indicated. In addition to the Data Controller, in some cases, other parties involved in the organisation of the services offered (administrative, commercial, marketing, legal, system administrators) or external parties (such as third-party technical service providers, postal couriers, hosting providers, IT companies, communication agencies) are also appointed, if necessary, as Data Processors by the Data Controller. The updated list of Processors can always be requested from the Data Controller.

Place

The Data is processed at the Owner’s operational offices and in any other place where the parties involved in the processing are located.
The User’s Personal Data may be transferred to a country other than the one in which the User is located.

If one of the transfers just described takes place, the User can refer to the respective sections of this document or request information from the Data Controller by contacting him at the contact details indicated at the beginning.

Retention period

The Data is processed and stored for the time required by the purposes for which it was collected.

Therefore:

  • Personal Data collected for purposes related to the execution of a contract between the Data Controller and the User will be retained until the execution of said contract is completed.
  • Personal Data collected for purposes attributable to the legitimate interest of the Data Controller will be retained until such interest is satisfied. The User can obtain further information regarding the legitimate interest pursued by the Data Controller in the relevant sections of this document or by contacting the Data Controller.

When the processing is based on the User’s consent, the Data Controller may retain the Personal Data for longer until such consent is revoked. Furthermore, the Data Controller may be obliged to retain Personal Data for a longer period in compliance with a legal obligation or by order of an authority.

At the end of the retention period, the Personal Data will be deleted. Therefore, upon expiry of this deadline the right of access, cancellation, rectification and the right to data portability can no longer be exercised.

Purpose of the Processing of the Data Collected

The User’s Data is collected to allow the Data Controller to provide the Services, in particular to guarantee the correct functioning of the site and allow interaction with external platforms, as well as to collect statistical and visualisation data.

User’s Rights

Users may exercise certain rights with respect to the Data processed by the Data Controller.

In particular, the User has the right to:

  • revoke consent at any time. The User can revoke the previously expressed consent to the processing of his/her Personal Data.
  • object to the processing of their Data. The User can object to the processing of his/her Data when it occurs on a legal basis other than consent.
  • access his/her Data The User has the right to obtain information on the Data processed by the Data Controller, on certain aspects of the processing and to receive a copy of the Data processed.
  • verify and request rectification The User can verify the correctness of his Data and request its updating or correction.
  • obtain the limitation of processing When certain conditions are met, the User can request the deletion of their Data by the Data Controller. In this case the Data Controller will not process the Data for any purpose other than their storage.
  • obtain the cancellation or removal of his/her Personal Data When certain conditions are met, the User can request the deletion of their Data by the Data Controller.
  • receive his/her Data or have it transferred to another owner The User has the right to receive his/her Data in a structured, commonly used and machine-readable format and, where technically feasible, to obtain its unimpeded transfer to another Data Controller. This provision is applicable when the Data is processed with automated tools and the processing is based on the User’s consent, on a contract of which the User is a party or on contractual measures connected to it.
  • lodge a complaint. The User can lodge a complaint with the competent personal data protection supervisory authority or take legal action.

How to exercise your rights

To exercise the User’s rights, Users can direct a request to the contact details of the Data Controller indicated in this document. Requests are filed free of charge and processed by the Data Controller as quickly as possible.

Changes to this privacy policy

The information provided here may be subject to revision following:

  • changes to the privacy legislation, for the aspects of interest here;
  • technological implementations of the site that impact current processing methods;
  • organisational changes in the Data Controller’s privacy structure that may affect the user.

Users are kindly invited to periodically view this Policy in order to be constantly updated on the characteristics of the processing.

Legal references

This privacy notice was drawn up on the basis of multiple legislative systems, including articles 13 and 14 of (EU) Regulation 2016/679.

Unless otherwise specified, this privacy policy applies exclusively to this website.

Recipients of the data

The data collected, in addition to being processed internally at the Company’s offices, could, depending on specific needs, be transferred to the following categories of recipients:

  • Data processing and storage platforms;
  • IT service and system maintenance providers;
  • Webmail providers;

The updated list of Data Processors is always available at the Data Controller’s headquarters.

Transfer of data abroad

At the moment, the possibility of transferring data to non-EU countries is not foreseen. Should this need arise, it will be the Data Controller’s responsibility to verify the adequacy of the safety standards present in these countries, as established by Chapter V of the Regulation.

Data retention times

The data provided will be stored in our archives for the duration of the existing relationship between the Data Controller and the companies that have business or collaborative relationships with it.

Rights of the interested party

The interested party has the right to ask the data controller for access to personal data and the rectification or cancellation of it or the limitation of the processing of personal data concerning him/her and to oppose its processing, in addition to the right to data portability.

The interested party, if he/she notices unlawful processing, has the right to contact a supervisory authority, which for Italy is the Guarantor for the Protection of Personal Data, Piazza di Monte Citorio no. 121 – 00186 – ROME; Fax: (+39) 06.69677.3785
Telephone switchboard: (+39) 06.696771 Email: garante@gpdp.it Website: http://www.garanteprivacy.it

Mandatory or optional nature of providing data and consequences of any refusal to provide data

The provision of data is mandatory for everything required by the legal and contractual obligations that bind the Data Controller and the company to which the interested party refers. Therefore, any refusal to supply the data in whole or in part may result in the impossibility for the undersigned to execute the contract or correctly carry out all the obligations set out therein.

THE DATA “CONTROLLER”

The data controller is Gilardi Legnami Srl with registered office in Strada Chivasso, 89 – 10090 – Gassino Torinese (TO); Fiscal code and VAT number 00597930015, contactable at the address commerciale@gilardilegnami.it