Privacy policy

Privacy Policy on the processing of personal data provided pursuant to Articles 13-14 of Reg. (EU) 2016/679 (GDPR) and the Legislative Decree, as amended. (Act) 30 June 2003 No. 196

1. Introduction

At Magis S.p.A. (hereinafter referred to as the Data Controller) we are aware of the importance of protecting the personal data of our customers, therefore, we handle all information provided to us with extreme care and ensure security and confidentiality when processing personal data. The purpose of this privacy policy on the processing of personal data (hereinafter referred to as “Privacy Policy”), which is provided pursuant to Art. 13-14 of Reg. (EU) 2016/679 (hereinafter the “GDPR”) and Legislative Decree No. 196 of 30 June 2003, as amended (hereinafter, the “Act”) is to provide maximum transparency as to the purposes for which personal data are collected and how they are processed.

2. General information

Data subjects (as defined in the GDPR and the Act) are informed of the following general profiles, which apply to all areas of processing:

• all data are processed lawfully, fairly and transparently in relation to the data subject, in compliance with the general principles laid down in the GDPR and the Act
• data are collected and processed only for the purposes indicated in this Privacy Policy or for the specific purposes already shared with the data subject and/or for which the data subject has given consent
• as little personal data as possible is collected and processed
• when collecting the personal data of a data subject, efforts are made to ensure that they are as accurate and up-to-date as possible
• if the personal data collected are no longer needed for any purpose and the law does not require them to be stored, the data will be erased, destroyed or made anonymous
• certain security measures are taken to prevent data loss, illicit or improper use and unauthorized access
• personal data will not be shared, sold, made available or disclosed to parties other than those referred to in this Privacy Policy
• personal data will not be subject to automated processing or profiling
• full details of each type of data collected are provided in the following dedicated paragraphs of this Privacy Policy.

3. Data collected, processing and purposes

The personal data collected in the ways indicated in the following sub-paragraphs will be processed with the support of hard copy and PC with organisational and processing logics strictly related to the purposes and in any case in such a way as to guarantee the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures provided for by the provisions in force. Please note that no profiling activities are carried out using automated methods.

In addition to the Data Controller, in some cases personal data may be accessed by categories of persons in charge duly authorised by the data controller (administrative staff, system administrators, etc.) or external parties (see par. 4) appointed, where applicable, as processors (hereinafter referred to as “Processors”) by the Data Controller. You may ask the Data Controller for an updated list of Processors.

Your personal data are processed at the operations offices of the Data Controller and anywhere else the parties involved in processing are located. For more information, contact the Data Controller.

Where the data provider is under the age of 16, such processing is lawful only if and to the extent that such consent is given or authorised by the Data Controller of the parental responsibility for which the identification data and a copy of the identification documents are acquired.

The interested party declares that he is at least 16 years old and to provide truthful and correct data and not to provide data of other interested parties unless explicitly authorized by written delegation.

• Data collected and purpose of processing

The personal data provided by the user of the website either by filling in the dedicated form or by sending an e-mail to the Data Controller at the address indicated by him on the website, e.g. in the “Contact us” section (name, surname, e-mail address, information contained in cookies, any other necessary personal data) have the purpose of allowing:

1. the navigation on this website
2. sending the information requested by the user
3. the performance of internal management tasks

• Further processing

The data subject’s personal data may be used by the Data Controller:

1. for communication at the request of public authorities for the fulfilment of legal obligations of the Data Controller.

4. Disclosure, categories of recipients, transfers

Without prejudice to communications made in compliance with legal obligations, all data collected and processed may be disclosed only for the purposes specified above to the following categories of recipients:

• Companies, professional firms, consultants or professionals, even in associated form, that provide consultancy or collaboration activities in commercial, insurance, management systems (e.g. quality management systems, data protection)
• Companies dealing with the management of computer networks and their elements (e.g. servers, PCs, etc.), software and hardware assistance, telecommunications and web services (webmaster, e-mail, etc.) for organizational purposes, productive, security and service management
• third-party suppliers of products or services to which the communication is necessary for the fulfilment of the services covered by the request
• Certification/accreditation bodies, where applicable

No further disclosure to other recipients or dissemination is envisaged; personal data will not be transferred outside the European Union. In any case, it is understood that, if necessary, the Data Controller may transfer personal data to non-EU countries or use external services (e.g. e-mail services) that may transfer and/or store data in non-EU countries. In such case, the Data Controller hereby ensures that the transfer of personal data will take place in accordance with the applicable legal provisions, where necessary by entering into agreements guaranteeing an adequate level of protection.

5. Storage of personal data

The management and storage of personal data in electronic format will take place on servers/electronic archives, located within the European Union, of the Data Controller and/or duly appointed third party companies.

In any case, it is understood that, if necessary, the Data Controller has the option to move the location of electronic files to non-EU countries or use external services (e.g. e-mail services) that may transfer and/or store data in non-EU countries. In such case, the Data Controller hereby ensures that the transfer of data will take place in accordance with the applicable legal provisions necessary by entering into agreements, if necessary, guaranteeing an adequate level of protection.

The storage of personal data on hard copy will take place in specially prepared files at the Data Controller’s premises.

6. Storage period of personal data

The data provided for the purposes referred to in points 3.1 b), c) will be kept until the end of processing and for a further 60 days; after this period, if their storage is not otherwise justified, the data will be deleted/destroyed.

For the retention times for the data provided for the purposes referred to in points 3.1 a), please visit the cookie page.

Once the above storage periods have expired, the data subject will no longer be able to exercise the right of access, erasure, rectification and portability of his/her personal data.

7. Nature of the provision of personal data and legal basis

The provision of personal data referred to in par. 3, essential and necessary for the correct execution of the requests made, is not mandatory; however, failure to provide personal data by the interested party will not allow the formulation of the requests made.

The legal basis for the processing of the data referred to in par. 3 is constituted by:

• for the purposes set out in par. 3.1. points a), b), c) the consent of the data subject
• for the purposes indicated in par. 3.2 point a) from the pursuit of a legitimate interest of the Data Controller and from the fulfilment of legal obligations of the Data Controller

With regard to the first point, the data subject may decide not to give consent to the processing of data or to revoke the consent already given for the above purposes; in this case, it is understood that the exercise of this option does not affect the lawfulness of the processing based on consent before the withdrawal.

8. Rights of the data subject

Pursuant to the GDPR and national legislation, the data subject may, in the manner and within the limits provided for by current legislation, exercise the following rights:

• to request confirmation of the existence of personal data concerning him/her (right of access)
• to know its origin
• to receive intelligible communication
• to know about the existence of automated decision-making process of personal data, including profiling
• to have information on the logic, methods and purposes of processing
• to request the updating, rectification, completion, erasure (“right to be forgotten”), transformation into anonymous form, to object, to ask for restriction of processing, blocking of data processed in breach of the law, including data no longer necessary for the purposes for which they were collected; in the event of rectification or erasure of personal data or restriction of processing, the data controller shall notify any recipients of the processing of such data
• in cases where processing is based on consent and the processing is carried out by automated means, to receive their personal data provided to the Data Controller, in a structured and machine-readable form and in a format commonly used by an electronic device (right to data portability)
• in cases of processing based on consent, withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given before withdrawal
• receive information about possible breaches of personal data, if the breach is likely to present a high risk for the rights and freedoms of the data subject and if the conditions for such a breach are met (Art. 34 GDPR)
• submit a complaint to the Supervisory Authorities.

You may exercise your rights by sending a request to the addresses indicated below in paragraph 9.

9. Data Controller, Data Controller’s Representative, Data Protection Officer and contact details

The Data Controller is Magis S.p.A., in the person of the Managing Director, who can be contacted at the following addresses:

• Viale della Repubblica, 10 – 27100 Pavia
• amministrazione@magisspa.it
• spa@pec.intred.it

to which data subjects may apply to exercise all their rights under the GDPR and the Act (see par. 8), as well as to withdraw consent previously given; in the event of failure to respond to their requests, data subjects may lodge a complaint with the Data Protection Supervisory Authorities.

A Data Protection Officer (DPO) has not been appointed as it is unnecessary under Article 37 of the GDPR.

Since the controller is established in the European Union, there is no obligation to designate a representative of the controller (Art. 27 GDPR).

10. Updating of the Privacy Policy

The Data Controller updated this Policy on January 21, 2019; the Data Controller reserves the right to make changes to this Policy at any time, updating this document.

In the event of non-acceptance of the changes made to this Privacy Policy, the data subject may ask the Data Controller to erase his/her personal data.

Unless otherwise specified, the content of the previous version of the Privacy Policy will continue to apply to personal data collected up to that point.