Malvestio S.p.A., with registered office at Via G. Marconi 12/D, 35010 Villanova di Camposampiero (Padova), hereinafter referred to as the “Data Controller”, in its capacity as data controller, hereby informs you, pursuant to Articles 13 and 14 of EU Regulation No. 2016/679 (hereinafter, the “GDPR”), that your personal data will be processed in the manner and for the purposes described below.
The Data Controller processes personal and identifying data (for example, name, surname, company name, address, telephone number, e-mail address, bank and payment details) — hereinafter referred to as “personal data” — when you provide them, for the purpose of carrying out services related to the Data Controller’s business activities.
Your personal data are processed:
A) Without your express consent (Art. 6, letters b) and e) of the GDPR), for the following Service Purposes:
B) Only with your specific and separate consent (Art. 7 GDPR), for the following Marketing Purposes:
Your personal data are processed by means of the operations indicated in Art. 4, no. 2 of the GDPR, namely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction of data.
Your personal data may be processed both in paper form and electronically and/or by automated means.
The Data Controller will process personal data for the time necessary to fulfil the above purposes and, in any case, for no longer than 10 years from the termination of the relationship for Service Purposes and 2 years from data collection for Marketing Purposes.
Your data may be made accessible, for the purposes set out in Art. 2.A) and 2.B):
Without the need for express consent (Art. 6, letters b) and c) GDPR), the Data Controller may communicate your data for the purposes set out in Art. 2.A) to supervisory bodies, judicial authorities, insurance companies for the provision of insurance services, as well as to those subjects to whom communication is mandatory by law, in order to carry out the purposes mentioned above.
Such subjects will process the data as independent Data Controllers.
Your data will not otherwise be disseminated.
Personal data are stored on servers located within the European Union.
It is, however, understood that, if necessary, the Data Controller reserves the right to move the servers outside the EU. In this case, the Data Controller hereby ensures that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, subject to the stipulation of the standard contractual clauses established by the European Commission.
Providing data for the purposes set out in Art. 2.A) is mandatory. Without them, we will not be able to provide you with the Services referred to in Art. 2.A).
Providing data for the purposes set out in Art. 2.B) is optional. You may therefore decide not to provide any data or to deny consent to the processing of data already provided; in such cases, you will not receive newsletters, commercial communications, or advertising material relating to the services offered by the Data Controller.
You will, however, continue to be entitled to the Services referred to in Art. 2.A).
As the data subject, you have the rights set forth in Art. 15 of the GDPR, and specifically the right to:
i. obtain confirmation as to whether or not personal data concerning you exist, even if not yet recorded, and their communication in an intelligible form;
ii. obtain information on:
a) the origin of the personal data;
b) the purposes and methods of processing;
c) the logic applied in case of processing carried out with the aid of electronic means;
d) the identification details of the controller, the processors, and the designated representative pursuant to Art. 3, paragraph 1, GDPR;
e) the entities or categories of entities to whom the personal data may be communicated or who may become aware of them as designated representatives in the territory of the State, processors, or authorized persons;
iii. obtain:
a) the updating, rectification, or, when interested, integration of the data;
b) the erasure, anonymization, or blocking of data processed unlawfully, including those whose retention is unnecessary for the purposes for which they were collected or subsequently processed;
c) certification that the operations under letters a) and b) have been notified, also as regards their contents, to those to whom the data were communicated or disseminated, except where this requirement proves impossible or involves a manifestly disproportionate effort compared to the right being protected;
iv. object, in whole or in part:
a) on legitimate grounds, to the processing of personal data concerning you, even if relevant to the purpose of the collection;
b) to the processing of personal data concerning you for the purpose of sending advertising materials or direct sales or for carrying out market research or commercial communication, using automated calling systems without the involvement of an operator, via e-mail and/or traditional marketing methods such as telephone and/or postal mail.
Please note that the right of the data subject to object, as mentioned in point b) above, to direct marketing by automated means also extends to traditional methods, and in any case, the data subject may exercise the right to object only in part. Therefore, the data subject may choose to receive communications only by traditional means, only by automated means, or not to receive any communications at all.
Where applicable, you also have the rights set forth in Articles 16–21 of the GDPR (Right to rectification, Right to erasure, Right to restriction of processing, Right to data portability, Right to object), as well as the right to lodge a complaint with the Supervisory Authority.
You may exercise your rights at any time by sending: