Customers

Privacy Policy on the processing of personal data provided pursuant to Articles 13-14 of Reg. (EU) 2016/679 (GDPR) and the Legislative Decree, as amended. (Act) 30 June 2003 No. 196

1. Introduction

At Magis S.p.A. (hereinafter referred to as the Data Controller) we are aware of the importance of protecting the personal data of our customers, therefore, we handle all information provided to us with extreme care and ensure security and confidentiality when processing personal data. The purpose of this privacy policy on the processing of personal data (hereinafter referred to as “Privacy Policy”), which is provided pursuant to Art. 13-14 of Reg. (EU) 2016/679 (hereinafter the “GDPR”) and Legislative Decree No. 196 of 30 June 2003, as amended (hereinafter, the “Act”) is to provide maximum transparency as to the purposes for which personal data are collected and how they are processed.

2. General information

Data subjects (as defined in the GDPR and the Act) are informed of the following general profiles, which apply to all areas of processing:

• all data are processed lawfully, fairly and transparently in relation to the data subject, in compliance with the general principles laid down in the GDPR and the Act
• data are collected and processed only for the purposes indicated in this Privacy Policy or for the specific purposes already shared with the data subject and/or for which the data subject has given consent
• as little personal data as possible is collected and processed
• when collecting the personal data of a data subject, efforts are made to ensure that they are as accurate and up-to-date as possible
• if the personal data collected are no longer needed for any purpose and the law does not require them to be stored, the data will be erased, destroyed or made anonymous
• certain security measures are taken to prevent data loss, illicit or improper use and unauthorized access
• personal data will not be shared, sold, made available or disclosed to parties other than those referred to in this Privacy Policy
• personal data will not be subject to automated processing or profiling
• full details of each type of data collected are provided in the following dedicated paragraphs of this Privacy Policy.

3. Data collected, processing and purposes

The personal data collected in the ways indicated in the following sub-paragraphs will be processed with the support of hard copy and PC with organisational and processing logics strictly related to the purposes and in any case in such a way as to guarantee the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures provided for by the provisions in force. Please note that no profiling activities are carried out using automated methods.

In addition to the Data Controller, in some cases personal data may be accessed by categories of persons in charge duly authorised by the data controller (administrative staff, system administrators, etc.) or external parties (see par. 4) appointed, where applicable, as processors (hereinafter referred to as “Processors”) by the Data Controller. You may ask the Data Controller for an updated list of Processors.

Your personal data are processed at the operations offices of the Data Controller and anywhere else the parties involved in processing are located. For more information, contact the Data Controller.

The data subject declares that he or she is providing truthful and accurate data and that he or she will not provide the data of other data subjects unless expressly authorised in writing to do so.

• Data collected and purpose of processing

The personal data collected (first name, surname, VAT number/tax ID, business address, landline telephone and/or work mobile phone, work e-mail address, any other necessary personal data) are used to enable the following:

1. the drafting of commercial offers, if requested by the data subject
2. invoicing of purchased products/services
3. the provision of ancillary services, if requested by the data subject
4. administrative, accounting and fiscal management linked to invoicing following the sale of products/services
5. any communications linked to the sale of the product and/or provision of the service (by way of example only, planning of services, after-sales assistance and management of complaints by the data subject, satisfaction surveys, statistics linked to management systems, for quality, payment of invoices)
6. the fulfilment of other obligations under the contract or under applicable law, possibly with the help of the third parties referred to in point 4 below

• Personal data of internal contact persons of legal persons

In the case of legal persons, the GDPR does not apply; however, in the course of normal business activities between companies, the personal data of employees and collaborators may be exchanged (in general, first name, surname, work e-mail, work mobile phone number and any other necessary personal data). We therefore invite you, in accordance with the GDPR and if the prerequisites are met, to inform your employees and collaborators of the purposes and methods of processing their personal data, i.e.:

1. the exchange of communications and documentation for the purpose of drafting/managing commercial offers, purchase orders, order confirmations, transport documents, invoicing and other documentation required for the sale of products and the provision of services
2. any communications linked to the sale of products and the provision of services, such as, but not limited to, planning of services, appointment confirmation, delivery management, after-sales service and management of complaints, satisfaction surveys, statistics linked to management systems, quality management, invoicing and related management
3. the fulfilment of other obligations arising from the contract or from applicable legislation

• Further processing

The data subject’s personal data may be used by the Data Controller:

1. 1. in legal proceedings or in the preparatory stages of such proceedings for the purpose of pursuing a legitimate interest of the data controller (for example, debt collection, management of litigation)
2. for disclosure at the request of public authorities for the fulfilment of legal obligations of the Data Controller (by way of example, images recorded by a video surveillance system).

4. Disclosure, categories of recipients, transfers

Without prejudice to disclosures carried out in compliance with legal and contractual obligations, all data collected and processed may be disclosed to the following category of recipients exclusively for the purposes specified above:

• Companies, professional firms, consultants and professionals, even in associated form, providing consultancy or collaboration in accounting, tax, legal, commercial and debt collection, management systems (e.g. quality management systems, data protection)
• public administrations for the performance of their institutional functions within the limits set by the Law
• Banking institutions for the management of particular payment methods agreed with the Customer
• Companies involved in the management of computer networks and related elements (e.g. servers, PCs, etc.), software and hardware support, telecommunications and web services (e-mail, instant messaging, etc.) for organisational, production, security and service management purposes
• third-party suppliers of products or services to whom the communication is necessary for the performance of the services covered by the contract (e.g. carriers and couriers)
• Certification/accreditation bodies, where applicable

No further disclosure to other recipients or dissemination is envisaged; personal data will not be transferred outside the European Union. In any case, it is understood that, if necessary, the Data Controller may transfer personal data to non-EU countries or use external services (e.g. e-mail services) that may transfer and/or store data in non-EU countries. In such case, the Data Controller hereby ensures that the transfer of personal data will take place in accordance with the applicable legal provisions, where necessary by entering into agreements guaranteeing an adequate level of protection.

5. Storage of personal data

The management and storage of personal data in electronic format will take place on servers/electronic archives, located within the European Union, of the Data Controller and/or duly appointed third party companies.

In any case, it is understood that, if necessary, the Data Controller has the option to move the location of electronic files to non-EU countries or use external services (e.g. e-mail services) that may transfer and/or store data in non-EU countries. In such case, the Data Controller hereby ensures that the transfer of data will take place in accordance with the applicable legal provisions necessary by entering into agreements, if necessary, guaranteeing an adequate level of protection.

The storage of personal data on hard copy will take place in specially prepared files at the Data Controller’s premises.

6. Storage period of personal data

Data required for contractual, accounting and service provision purposes are stored for as long as necessary for the performance of the contractual relationship, including the relevant applicable legislative requirements.

The data of those who do not purchase or make use of the services offered, even though they have had previous contact with the Data Controller, shall be stored until the offer reaches its expiry date and erased/destroyed within a maximum of one year from the date of the offer; this period is also considered reasonable for the benefit of the Customer who may wish to request new offers or changes to offers already issued, even if the date of validity of the same has already passed. After this period, the data will be erased/destroyed.

Once the above storage periods have expired, the data subject will no longer be able to exercise the right of access, erasure, rectification and portability of his/her personal data.

7. Nature of the provision of personal data and legal basis

The provision of personal data as referred to in par. 3, which are essential and necessary for due execution of the contractual relationship, is not compulsory; however, the data subject’s failure to provide personal data will not allow the contract to be executed.

The legal basis for the processing of the data referred to in par. 3 is constituted by:

• the purposes set out in par. 3.1(a), par. 3.1.1 point a) the fulfilment of obligations in connection with activities carried out prior to the contract and the pursuit of a legitimate interest of the Data Controller
• the purposes set out in par. 3.1 points b), c), d), e), par. 3.1.1 points a), b) and c) by the performance of the contract
• the purposes set out in par. 3.1 points d), f), par. 3.1.1 point c) the performance of the contract and the fulfilment of the Controller’s legal obligations
• the purposes set out in par. 3.2 point a) the pursuit of a legitimate interest of the Data Controller
• the purposes set out in par. 3.2 point b) the fulfilment of legal obligations of the Data Controller

8. Rights of the data subject

Pursuant to the GDPR and national legislation, the data subject may, in the manner and within the limits provided for by current legislation, exercise the following rights:

• to request confirmation of the existence of personal data concerning him/her (right of access)
• to know its origin
• to receive intelligible communication
• to know about the existence of automated decision-making process of personal data, including profiling
• to have information on the logic, methods and purposes of processing
• to request the updating, rectification, completion, erasure (“right to be forgotten”), transformation into anonymous form, to object, to ask for restriction of processing, blocking of data processed in breach of the law, including data no longer necessary for the purposes for which they were collected; in the event of rectification or erasure of personal data or restriction of processing, the data controller shall notify any recipients of the processing of such data
• in cases where processing is based on consent and the processing is carried out by automated means, to receive their personal data provided to the Data Controller, in a structured and machine-readable form and in a format commonly used by an electronic device (right to data portability)
• in cases of processing based on consent, withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given before withdrawal
• receive information about possible breaches of personal data, if the breach is likely to present a high risk for the rights and freedoms of the data subject and if the conditions for such a breach are met (Art. 34 GDPR)
• submit a complaint to the Supervisory Authorities.

You may exercise your rights by sending a request to the addresses indicated below in paragraph 9.

9. Data Controller, Data Controller’s Representative, Data Protection Officer and contact details

The Data Controller is Magis S.p.A., in the person of the Managing Director, who can be contacted at the following addresses:

• Viale della Repubblica, 10 – 27100 Pavia
• amministrazione@magisspa.it
• spa@pec.intred.it

to which data subjects may apply to exercise all their rights under the GDPR and the Act (see par. 8), as well as to withdraw consent previously given; in the event of failure to respond to their requests, data subjects may lodge a complaint with the Data Protection Supervisory Authorities.

A Data Protection Officer (DPO) has not been appointed as it is unnecessary under Article 37 of the GDPR.

Since the controller is established in the European Union, there is no obligation to designate a representative of the controller (Art. 27 GDPR).

10. Updating of the Privacy Policy

The Data Controller updated this Privacy Policy on 21 January 2019; the Data Controller reserves the right to make changes to this Privacy Policy at any time, by giving notice to data subjects by publishing it on the website. Data subjects are therefore invited to frequently consult the website in the dedicated section, taking as reference the date of the last change indicated above.

In the event of non-acceptance of the changes made to this Privacy Policy, the data subject may ask the Data Controller to erase his/her personal data.

Unless otherwise specified, the content of the previous version of the Privacy Policy will continue to apply to personal data collected up to that point.