Pursuant to Article 13, paragraph 1 (a) to Article 15 (b) of the GDPR, the Data Controller who will process your personal data is the company PB S.r.l., with legal office in Pistoia at via Della Madonna nr. 28 (C.F. (Social Security No.) and P.I. (Tax ID No.) 01900760479). The Data Controller guarantees that the data provided by you under the framework of this legal relationship (User/Data Subject) shall be processed in accordance with the abovementioned regulation. Your data shall be processed lawfully and following the principles of fairness and proportionality, as well as in compliance with all essential principles, such as the principle of data minimisation, and further in compliance with all fundamental rights and freedoms of the Data Subject. Subsequent communications may be sent at a later time, also orally.
No Data Protection Officer has been appointed due to the fact that PB S.r.l. does not meet the criteria set forth in Article 37 of the Regulation (EU) 2016/679.
Data Subject to the Processing
PB S.r.l. collects and/or receives personal data.
“Personal data” means any information relating to an identified or identifiable natural person –including anyone who can be identified indirectly– by reference to an identifier such as an identification number. “Processing of personal data” means any operation or set of operations performed, whether or not by automated means, such as data collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, restriction, disclosure, dissemination, erasure and destruction, even if not recorded in a databank. Basically, the data to be processed consists of data voluntarily provided by you under the framework of the legal relationship established with the Data Controller:
- Data of natural persons: first and last name, date of birth, home address, telephone and fax number, email, tax information, etc.
- Data of self-employed professionals/companies/businesses: data regarding their business (invoices, products, services, contracts), name, address or other data for identification purposes (business name, legal address, operating address, telephone or fax number, email, social security or tax ID number).
It is worth noting that the navigation data, the computer systems and the software required to use this website might collect your personal data, the disclosure of which is performed pursuant to Internet communication protocols. Even though such data are not collected with the purpose of identifying any data subject, the nature of such data might contribute to user identification if it is processed and associated to other data held by third parties. This category of data includes the IP addresses or domain names of the computers used by users connecting to the website, the URI (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.) and other parameters related to the user’s operating system and computer environment. These data are used only to obtain anonymous statistical information on the use of the website and to check its proper functioning and they are immediately deleted after processing. The data could be used to detect associated devices in the event of any potential fraudulent activity against the website or if so requested by the relevant authorities.
PB S.r.l. shall not request Data Subjects to provide any “special” category of personal data, as defined in Article 9 of the GDPR, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The only “special” category of personal data to process may be that of the employees of PB S.r.l. in relation to their health and/or trade union membership.
Purposes of the Processing
We shall process your personal data for the following purposes:
- to manage current and/or future legal relationships, including online services provided through our website bizionaire.it and offline consulting services);
- to comply with the obligations assumed in connection with the abovementioned legal relationships;
- to fulfil any administrative requirements in connection with any current or future legal relationship;
- to comply with regulatory, accounting and/or fiscal obligations;
- to safeguard contractual rights;
- to perform statistical analysis for functional purposes;
- to perform email marketing and communication activities related to additional products and/or services offered by the Data Controller;
- to share personal data with partners and/or third parties who collaborate with the Data Controller to develop email marketing and communication activities related to additional products and/or services identical, similar and/or different from those offered by the Data Controller;
- to manage the contractual relationship with employees in connection with salary payment;
- to manage and coordinate all related companies.
Pursuant to Recital 49 of the GDPR, the Data Controller and its suppliers (third parties and/or recipients) shall process the personal data of Data Subjects to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data.
The Data Controller shall promptly communicate any specific risk of data breach to the Data Subject, without prejudice to the obligations resulting from Article 33 of the GDPR regarding the notification of a personal data breach.
Your personal data shall be processed only for administrative and accounting purposes for a maximum period of 10 years as provided for in applicable tax laws. This provision shall prevail over any potential request from you to delete such data.
Your data shall not be subject to a decision based solely on automated processing that might produce legal effects concerning you or that might significantly impact on you.
Fraud Prevention (Recital 47 and Section 22 of the GDPR)
- The personal data of the Data Subject, except for special data (Article 9 of the GDPR) or judicial data (Article 10 of the GDPR), shall be processed by software systems that perform an automated check before the purchase of products/services for monitoring purposes and to prevent any fraudulent payments;
- If the outcome of such control check is negative, the transaction shall not be allowed; however, the Data Subject may express his or her opinion, ask for an explanation or challenge such negative outcome by contacting the Customer Service or sending an email to contatto firstname.lastname@example.org;
- The personal data collected exclusively for the purpose of fraud prevention, as opposed to the data required in connection with the relevant services, shall be immediately deleted after the control check.
Nature of Data Provision
The authorization for data processing is necessary to accomplish the processing purposes, i.e. to comply with the legal obligations arising from the relationship between the User and the Company, and for any other purposes related to such relationship as set forth by European laws, regulations and provisions. The failure to authorize data disclosure to the entities appointed by the Data Controller will prevent the latter from complying with such obligations and, therefore, the Controller shall not be able to supply the services and/or products requested. However, the authorization to process your data is optional for the processing purposes number 7 and 8. Communications sent pursuant to paragraph 7 above shall be delivered by automated means (email). Regarding paragraph 8 above, personal data will be shared by the Controller with its partners and/or collaborators by email. Regarding the processing purposes set forth in paragraphs 9 and 10 above, the authorization for data processing is mandatory as authorized by the data protection supervisor.
Data Processing Modalities
Data shall be processed and stored only for the abovementioned purposes in paper format or with automated and telematics tools. The data shall be kept in the corresponding databank (users/clients, etc.) and processed with the relevant tools so as to guarantee data integrity, security and confidentiality as provided for by the Regulation (EU) 679/16. All technical, computer, organization, logical and security measures required by law shall be adopted to guarantee, at least, the minimum level of data protection set forth by law.
Pursuant to Sections 13 and 122 of the Italian Legislative Decree 196/2003 and to the Regulation (EU) 679/16, as well as according to the Provision No. 229 issued on May 8th, 2014, by the Data Protection Supervisor, cookies can be divided into two macro categories, namely “Technical” and “Profiling” cookies.
These are cookies that are used to browse and/or provide the service requested by the user. They are not used for other purposes and are normally installed directly by the website owner. Without the use of these cookies, some operations could not be performed or would be more complex and/or less secure, such as, for example, home banking (account statement display, bank transfers, bill payments, etc.). For this reason, these cookies that allow you to make and keep the user’s identification within the session are essential.
These are cookies used to track the user’s internet browsing behaviour and create profiles based on their tastes, habits, choices, etc. With these cookies advertising messages can be transmitted to the user’s terminal in line with the preferences already shown by them when browsing online.
User’s Consent to Install Cookies in the Device
The consensus to store cookies depends on the purposes for which the cookies are used, and such purpose also determines whether they are “technical cookies” or “profiling cookies”. No consent is required to install technical cookies; however for third parties’ cookies a suitable policy is required. Profiling cookies, on the opposite, can be installed in the user’s device only upon the latter’s free, voluntary, specific and unambiguous consent after having been duly informed.
Data Disclosure or Dissemination
In relation to the purposes of data processing, the Data Controller may disclose your data to third parties only if appointed in writing and if such disclosure is necessary to provide the services requested by the Data Subject or required by law, namely:
- Entities, professionals, companies or any other organization appointed to process data in order to comply with administrative, accounting and management obligations resulting from the ordinary business of the Data Controller;
- Banks, financial institutions or any other entities to which it is necessary to transfer such data to comply with the obligations assumed by the Data Controller to conduct its business;
- Legal advisors and law firms to safeguard contractual rights;
- Applicable authorities and/or surveillance bodies to comply with legal duties;
- Self-employed professionals, professional firms and consultants duly licensed to address and solve issues related to the provision of the services;
- Public authorities and administrative bodies to comply with legal duties;
- The data collected shall not be disseminated in any way;
- The data shall be transmitted only within Italy and the European Union.
The personal data is collected and processed to provide the required Services and/or to supply the requested Product (Article 13, paragraph 2 (e) of the GDPR). Should the Data Subject fail to provide the personal data expressly requested in the order or registration forms, the Data Controller shall not be able to provide the required services and/or execute the relevant contract and/or supply the related Services/Products nor meet any related duties.
The data shall not be disseminated.
Places for Data Processing
The personal data of the Data Subject shall be stored in paper format or with automated and telematics tools in the countries regulated by the GDPR (EU countries).
Rights pursuant to Articles 15 to 20 of the GDPR
The data subject shall have the right to obtain the following information from the controller:
- a) confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- the appropriate safeguards provided by a third country (non EU) or an international organization to protect any potentially transferred data.
- b) the right to obtain a copy of the personal data undergoing processing, provided, however, that such right does not jeopardize third parties’ right to freedom. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
- c) the right to obtain from the controller without undue delay the rectification of his or her personal data.
- d) the right to obtain from the controller the erasure of personal data concerning him or her without undue delay if the grounds provided for in Article 17 of the GDPR apply, such as if the personal data are no longer necessary for purposes for which they were collected or if they have been unlawfully processed, and in any case if the grounds provided for by law apply, or else if the processing of the personal data is not justified by any another lawful reason.
- e) the right to obtain from the controller restriction of processing where the provisions of Article 18 of the GDPR apply, for instance if the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. The data subject must be duly notified when the period for suspension or restriction of processing is finished and the data is being processed again.
- f) the right to have the Data Controller communicate to each recipient to whom the personal data have been disclosed about any rectification or erasure or restriction carried out, unless this proves impossible or involves disproportionate effort.
- g) the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided in the cases set forth in Article 20 of the GDPR, and the right to have the personal data transmitted directly from one controller to another, where technically feasible.
For any further information and to make any request, please contact the Data Controller at email@example.com. In order to ensure that the abovementioned rights are exercised by the Data Subject and not by another third party, the Data Controller may request the former to provide some additional information for this purpose.
Right to Object to the Processing of Own Personal Data (Article 21, GDPR)
The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, provided, however, that such objection is based on his or her legitimate interest or in relation to trade promotion activities, by sending the relevant request to firstname.lastname@example.org
The Data Subject shall be entitled to request the erasure of his or her personal data if the Controller does not have any overriding legitimate grounds for the processing, and in any case if the Data Subject objects data processing in relation to trade promotion activities.
Pursuant to Article 15 of the GDPR, regardless of any other claim filed to seek for administrative and judicial redress, the Data Subject shall be entitled to lodge a claim with the competent supervisory authority in the Italian territory (Italian Data Protection Authority) available at the following link: http://www.garanteprivacy.it/home/footer/contatti, or else with any other competent authority in the country where the provisions of the GDPR were breached, or else by contacting the European Data Protection Supervisor available at the following link: https://europa.eu/european-union/about-eu/institutions-bodies/european-data-protection-supervisor_it#contatti
Any updates to this policy shall be communicated in due time and by the appropriate means. The Data Controller shall only process the data of the Data Subject for other purposes different from the ones described in this policy with due prior notice and after having obtained the relevant consent of the Data Subject if so required.