Pibiplast SpA Via della Costituzione 19 – 42015 Correggio (RE) ITALY (hereinafter referred to as the “Data Controller”), in its capacity as Data Controller, informs you pursuant to article 13 of Italian legislative decree n. 196 of 30.6.2003 (hereinafter, the “Privacy Code”) and article n. 13 of European Regulation n. 2016/679 (hereinafter, the “GDPR”) that your data shall be processed in the manner and for the purposes indicated below:
1. Object of the data processing
The Data Controller processes personal data of a non-sensitive nature (for example name, surname, tax code, VAT number, email, telephone number – hereinafter, “personal data” or even just “data”) provided by you during registration for web services offered by the Data Controller (for example: website, newsletter, social network).
2. Purpose of the data processing
Your personal data is processed:
A) without your express consent (art. 24 lett. a, b, c of the Privacy Code and art. 6 lett. b, e of the GDPR), for the following service provision purposes:
– for the purpose of compliance with a legal obligation, regulation, community legislation or an order of an official authority;
– to prevent or discover fraudulent activities or violations deemed harmful to the website;
– to exercise the rights of the Data Controller, for example the right of defence in court.
B) Only after your specific and distinct consent (art. 23 and 130 of the Privacy Code and art. 7 of the GDPR), for the following marketing purposes:
– to send you by email newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller
– to enable you to register on the website;
– to enable you to subscribe to the newsletter provided by the Data Controller and any additional services you may request; Please be informed that if you are already our customer, we may send you commercial communications regarding services and products offered by the Data Controller that are similar to those you have already made use of, unless you specifically object (art. 130 paragraph 4 of the Privacy Code).
3. Data processing methods
The processing of your personal data is carried out by means of the operations indicated in art. 4 of the Privacy Code and art. 4 n. 2) of the GDPR, specifically: collection, registration, organisation, retention, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data. Your personal data may be processed using electronic, manual and/or automated means.
The Data Controller shall process the personal data for the time necessary to fulfil the aforementioned purposes and in any case for no longer than 10 years from the termination of the relationship for Service Purposes and for no more than 2 years from the collection of the data for Marketing Purposes.
4. Access to data
Your data may be made accessible for the purposes referred to in art. 2.A) and 2.B):
– to employees and collaborators of the Data Controller or companies of the Pibiplast Group to which the Data Controller belongs, in their capacity as data handlers and/or internal data processing managers and/or system administrators;
– to companies of the Pibiplast Group to which the Data Controller belongs (for example, for marketing or promotional activities or for collecting opinions, for storage of personal data, etc.) or to third parties (for example, service providers for management and maintenance of the website, suppliers, credit institutions, professional studios, etc) who perform outsourced activities on behalf of the Data Controller, in their capacity as external data processors.
5. Data communication
Without your express consent (ex art. 24 lett. a), b), d) of the Privacy Code and art. 6 lett. b) and c) of the GDPR), the Data Controller may communicate your data for the purposes referred to in art. 2.A) to supervisory authorities, judicial authorities as well as to all other subjects to whom the communication is mandatory by law for the fulfilment of the purposes indicated above. Your data shall not be disclosed.
6. Data transfer
Personal data is managed and stored on servers within the European Union belonging to the Data Controller and/or third party companies entrusted with processing and duly appointed as data processors. Servers are currently located in ITALY + mailchimp servers. Data shall not be transferred outside the European Union. In any case, it is understood that the Data Controller, where necessary, shall be entitled to move servers located in Italy and/or the European Union and/or non-EU countries. In this case, the Data Controller hereby ensures that the transfer of data outside the EU shall take place in accordance with applicable legal provisions, stipulating agreements, if necessary, to guarantee a suitable level of protection and/or adopting the standard contractual clauses of the European Commission.
7. Nature of data provision and the consequences of refusal to reply
The provision of data for the purposes referred to in art. 2.A) is mandatory. Without said data, we shall not be able to guarantee registration on the website or the services outlined in art. 2.A).
The provision of data for the purposes referred to in art. 2.B), meanwhile, is optional. You can therefore decide not to provide any data or to subsequently revoke consent to the processing of data already provided: in this case, you shall not receive newsletters, commercial communications and advertising material related to the services offered by the Data Controller. However, you shall continue to be entitled to the Services referred to in art. 2.A).
8. Rights of the interested party
As an interested party, you have the rights set forth in art. 7 of the Privacy Code and art. 15 of the GDPR, namely the right to:
i. obtain confirmation of the existence or otherwise of personal data concerning you, even if not yet recorded, and the communication in intelligible form of said data;
ii. obtain information on: a) the source of the personal data; b) the purposes and methods of processing; c) the logic applied when the data is processed with the use of electronic instruments; d) the identity of the Data Controller, data processors and the representative designated pursuant to Article. 5, paragraph 2 of the Privacy Code and art. 3, paragraph 1 of the GDPR; e) the parties or categories of parties to which the personal data can be transferred or which can gain knowledge of them as designated representatives of the State, data processors, or handlers;
iii. obtain: a) the updating, correction or, when applicable, additions to the data; b) the cancellation, transformation into anonymous form, or blocking of data processed in violation of law, including those that need not be retained for the purposes for which the data were collected or subsequently processed; c) certification that the parties to which the data have been communicated or disclosed have been notified of the operations specified in points a) and b), also regarding their content, except for the case where notification proves impossible or requires the use of means clearly disproportionate to the right being protected;
iv. oppose, in whole or in part: a) for legitimate reasons, the processing of your personal data, even if it is pertinent to the purpose of its collection; b) the processing of personal data concerning you for the purpose of sending advertising material or direct sales material, for the completion of market research or for commercial communication, through automated calling systems without human intervention, through email and/or traditional marketing communications by telephone and/or physical post. It should be noted that the interested party’s right of opposition, outlined above at point b), for the purposes of direct marketing by automated means also extends to traditional means and that in any case the interested party remains entitled to exercise the right of opposition even only in part. Therefore, the interested par