DATA PROCESSING PRIVACY NOTICE
ASTRO s.r.l headquartered in Via Fornace 4, 24050 Mornico al Serio (BG) – Italy - (the “Company”) wish to inform you, in the following sections, about the modalities and purposes dealing with the processing of your personal data.
A) Data Controller
The Data Controller is the person who determines the purposes for which and the manner in which personal data are to be processed (the ‘Data Controller’) and is identified in the CEO
The Data Controller may be contacted by e-mail at the following address Via Fornace n. 4 – 24050 Mornico al Serio (Bg) – Italy or at the following e-mail address: firstname.lastname@example.org.
B) Modalities to collect data from the Data Subject
The Data Controller may acquire your personal data under the following circumstances:
- if you contact us through our website, by email or phone, to require information about our services and products;
- if you buy a product and/or a service carried out by our Company, including pre-contractual negotiations;
- if you provide your data to receive direct marketing communications, newsletters and/or to be updated on the events organised and the marketing initiatives carried out by the Company;
- if the commercial partners of the Data Processor transfer to the Controller your personal data lawfully;
- if the Data Controller acquires your personal data from other sources in accordance with the applicable laws and the requirements under Art. 14 of the GDPR (i.e. public registers, directories, acts or documents available to whoever within the limits and under the conditions provided by law on their knowability).
C. Categories of data subject to Processing
Data processed by Data controller may include:
- Data related to natural persons that are necessary to sign and perform a contractual/commercial relationship with a customer/supplier, such as those referred to the customers/suppliers themselves or those of the legal representative of the customers/suppliers signing the contract for and on behalf of the latter or of the company’s internal representatives of the customers/suppliers themselves (for ex. Name, surname, phone number, email, bank account), involved in the activities dealing with the main contractual/commercial relationship, as well as any other information necessary to perform the contractual/commercial relationship and/or provide services;
- Information dealing with the modalities in which you use the company’s website, you open or send the communications received by the company, including the information collected by the means of cookies and other tracking technologies;(referred to also as “Data”)
D. Purposes and legal basis of the processing
- Management of the contractual relationship: the Data Controller shall process your data to reply to your requests, and to fulfil the preliminary requirements for the conclusion of the contract. Legal basis: processing is necessary for the performance of your contract or of the pre-contractual measures adopted upon your request (art. 6 par. 1 letter b of the GDPR). Data storage policy: The data that we collect only for an estimate will be stored for a maximum period of five years. The data processed to perform the contract may be stored for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question.
- Fulfilment of legally binding obligations: The Controller processes your data to fulfil any private law, administrative, fiscal, accounting obligation provided by law (i.e. with regard to health and safety in the workplace former Legislative Decree 81/2008), a Regulation, the European legislation or by an order of the Authorities deriving from the outstanding relationship with you; Legal basis: processing is necessary for the performance of your contract (art. 6 par. 1 letter b of the GDPR) or to fulfil a legal obligation of the Controller (art. 6 par. 1 lett. c del GDPR). Data storage policy: The Data may be stored for the period of time necessary to fulfil any legal obligation and, in any case, for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question.
- Defend the case for the Data Controller’s rights: if necessary, the Controller will provide all the information dealing with you to the Authorities and the bodies responsible for the enforcement of law, regulation or judicial documents, as well as to third parties into formal dispute. The Data Controller reserves the right to process your personal data to defend his or her rights deriving from the Contract before a judge, also for debt collection, directly or by third parties (debt collection agencies/companies), who will receive your data only for these purposes. Legal basis: processing is necessary for the purposes of the legitimate interest pursued by the controller, in order to defend a right or make further demands on the outstanding commercial relationship, except where such interests are overridden by the interests or fundamental rights (art. 6 par. 1 letter f of the GDPR). Data storage policy: your data may be stored for the necessary period of time in order to allow the Company to take actions or defend against eventual claims towards you or third parties.
- Promotional and marketing activities: The data collected for the selling of a product and/or service also through the company’s website may be processed to send you commercial/promotional communications – by automated means (such as email, sms or mms) and/or traditional (i.e. paper mail) related to services offered by the Company – and/or invitations to events organised by the company, as well as for the realisation of market researches, statistical analyses or customer satisfaction collection. At any moment, you will be informed of the modalities to withdraw consent to processing, easily and free of charge. As for promotional purposes of the company, with your consent, the Controller will collect and publish your image on any means of communication, on the company’s website, on social medias or in the local, national or international newspapers as well as on any other means (existing or to be invented in the future). Legal basis: you have given your consent as data subject of the processing (art. 6 par. 1 letter a of the GDPR). Data storage policy: data collected for marketing purposes may be stored until you withdraw consent, except when any image of you has been published on our website, social medias or commercial brochures.
If the Controller intend to process your data for other purposes than those mentioned above, he or she is required to inform you of these other purposes before performing it.
E. Nature of consent to data processing
Consent to data processing for letter a), b), c) purposes is compulsory since it is required to perform legal and contractual obligations. Any refusal or successive withdrawal may determine the inability for the Controller to fulfil the outstanding contractual relationship.
Instead, consent to data processing for letter d) is optional and the failure to give consent to the processing to those data will determine the inability to carry out the abovementioned activities.
F. Modalities to process Personal Data
Processing will be carried out by the Company in compliance with the security measures under art. 32 of the GDPR and Annex B of the Privacy Code (articles 33-36 of the Privacy Code), through manual, information system and computerised tools specifically designed to store, manage and transmit them to pursue only the purposes for which the data were collected and, in any case, to guarantee their security and confidentiality, as well as in full compliance with the principles of fairness, lawfulness and transparency.
No automated tools are used by the Controller to process data.
G. Communication of Data
Access may be granted to:
- Controller’s employees and associates in charge and/or internal Processors and/or system administrators;
- External third parties carrying out on behalf of the controller outsourcing activities for purposes dealing with support, administrative, accounting, fiscal areas or for purposes related to supply relationship or legal protection;
- Supervisory bodies, judicial authorities and all other subjects which by law require such communication in order to achieve these purposes.
H. Data transfer to a third country or an international organisation
Personal data are to be processed within the European Union and stored on servers located in that area. Anyway, if necessary, the Data Controller will have the right to transmit such data to a third country or to an international organisation and / or to move the servers even outside the EU. In this case, the Data Controller ensures that the transfer of non-EU data will be carried out in accordance with the applicable legal provisions under art. 44 of the Privacy Code and art. 46 and following of the GDPR.
I. Data subject’s rights
The Company informs you that, pursuant to art. 7 of the Privacy Code and articles 15-22 of the GDPR, you, in relation to your personal data, as Data Subject may exercise specific rights at any time, by contacting the Data Controller, such as:
- Access to your personal data and information;
- Without undue delay, rectification of incorrect personal data, as well as the integration of the incomplete data (with an integrative statement);
- The erasure of your personal data if (i) data are no longer necessary in relation to the purposes for which they were collected, (ii) you withdraw consent on which the processing is based and there is no other legal ground for the processing; (iii) you objected to the processing pursuant to art. 21 of the GDPR, (iv) data have been unlawfully processed, or (v) the erasure is necessary to fulfil a legal obligation;
- Limitation to the processing of your personal Data as provided by art. 18 of the GDPR.
If the Processing is based on your consent or on the contract and this is carried out by automated means, you have the right to receive these Data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller unimpeded. This right is not applied if the Processing is necessary to perform a duty of public interest or is connected to the exercise of a public office of the Data Controller.
If the Processing is based on your consent (art. 6 par. 1 lett. A of the GDPR), you have the right to withdraw consent, at any time, without prejudice to the lawfulness of the processing carried out upon you consent given before the revocation.
If you need further information on the processing of your personal data and to exercise the abovementioned rights, you can send a written request using the contacts provided in the ‘Data Controller’ section of this statement. If you request more information about your data, the data controller shall respond promptly – unless this proves impossible or involves a manifestly disproportionate effort compared with the right to be protected – and in any case no later than thirty days from the request. The data controller will justify any inability or delay in doing so to meet the request.
Last update: May 2018