Pursuant to articles 13 and 14 of Regulation (EU) 2016/679 (henceforth the “GDPR” or “Regulation”), and, in general, in observance of the principle of transparency established by that same Regulation, CTE S.p.A. (Henceforth the “Company”) hereby provides the following information on the processing of personal data.
1. DATA CONTROLLER and DATA PROTECTION OFFICER CONTACT DETAILS
The Data Controller (i.e. the party who determines the scope and means of personal data processing) is CTE S.p.A., with registered offices at Via Caproni 7, Rovereto, Italy, VAT no. IT02098950229, certified email (PEC) address: email@example.com, tel. +39 0464 485050.
To contact the company specifically in relation to the protection of personal data, including to exercise the rights listed in point 8 below, the dedicated email address is: firstname.lastname@example.org which you can contact for said requests.
2. PURPOSE OF DATA PROCESSING
CTE processes personal data for the following purposes:
the drafting of contracts and fulfilment of contractual obligations (on behalf of and in favour of the Data Controller), and thus for purposes strictly connected to the management of the contractual relationship with you, including administrative and accounting formalities and fulfilments [e.g.: the gathering of preliminary information for the establishment of a contract; the performance of operations based on the obligations deriving from the contract; for operating and management requirements; to monitor and check the execution of the service; to verify tax and social security regularity; to manage litigation (contractual nonfulfiment, arbitration, transactions, debt recovery, arbitration, legal disputes etc.)].
3. TYPES OF DATA PROCESSED
The following data categories may be processed:
– surname, name, date and place of birth, residence;
– tax ID number and/or VAT number;
– telephone number/email address;
– (where applicable in cases of joint liability, etc.) data relating to the regularity of payment of salary and social security obligations.
4. LEGAL BASIS OF DATA PROCESSING AND THE OBLIGATION TO PROVIDE INFORMATION
There is no obligation to provide data in pre-contractual stages, however, failure to do so will make it impossible to enter into a contract. Once a contract has been drawn up, providing further necessary data, or updating the data already provided, is necessary for all that is required by legal and contractual obligations and, therefore, the partial or complete refusal to provide the data may make it impossible for the Company to enter into the contract and may also constitute a breach of contract or violation of the law on the part of the supplier.
The legal basis for processing consists in the fact that said processing is necessary for the execution of the existing contract with you or of the pre-contractual measures adopted per your request or for the fulfilment of a legal obligation to which the Data Controller is subject.
5. DATA COLLECTION, PROCESSING METHODS AND STORAGE
Data is collected from the data subject, i.e., the data are those which you provide, as well as the data found in public registries (such as the CCIAA Chambers of Commerce) or obtained from the bodies which handle the necessary verifications of social security contributions, etc.
Processing will be carried out:
– through the use of manual and automated systems;
– by people or categories of people authorized to carry out the relative tasks;
– through the use of measures which suitably ensure the confidentiality of the data and to avoid access to the data by unauthorized third parties.
Your data will be stored for the entire duration of the contractual relationship and, after the end of the relationship – limited to the data required at that point – for the termination of of the contractual obligations taken on and for the completion of any and all legal requirements and for the needs of protection, including contractual, connected or derived from it.
There are no automated decision-making processes.
6. ACCESS TO DATA
Without prejudice to communications carried out to fulfil legal and contractual obligations, all data collected and processed may be accessed exclusively for the aforementioned purposes by:
a) all people whose right to access said data is recognized by regulatory measures;
b) employees, contractors, suppliers to the Data Controller, in the context of relative tasks and/or contractual obligations related to the fulfilment of the contractual relationship with you. Suppliers to the Controller include but are not limited to banks and credit institutions, insurance agencies, legal consultants, lawyers, tax consultants and accountants, debt collection agencies, companies that detect financial risks and which carry out fraud protection activities, companies responsible for reading meters, companies which print and stuff bills into envelopes, bill delivery companies, etc. If your contractual relationship with us requires contact with our clients or third parties, you personal data – inasmuch as they are necessary to fulfilling the services offered to you – may be shared with these parties.
c) where required by law, public authorities (including tax authorities), social security bodies etc.;
7. PLACE OF DATA PROCESSING
These activities will take place within the European Union. There is no intention to transfer data beyond the European Union or to an international organization.
8. RIGHTS OF THE DATA SUBJECT
The GDPR gives you the right to:
a. Access your personal data (you will thus have the right to receive information on the personal data kept by the Data Controller and relative processing, as well as to obtain a copy in a readable format, free of charge);
b. Correct the data (upon your indication, we will correct or supplement your incorrect or imprecise data – which is not an expression of evaluation criteria – including those which have become so because they are out of date);
c. Withdraw consent (if the processing occurs on the basis of consent you provided, you can withdraw that consent at any time, without prejudice to the lawfulness of the processing which occurred prior to the withdrawal);
d. Delete your data (right to be forgotten) (for example, the data is no longer necessary with respect to the purposes for which it was gathered or processed; it was unlawfully processed; it must be erased to comply with a legal obligation; you have withdrawn consent and there is no other legal basis for the processing; you object to the processing);
e. Restrict the processing (in certain cases – the accuracy of the data is contested by the data subject, for a period within which the Data Controller can verify the data; the data subject objects to the lawfulness of the processing, but is opposed to deletion of the data; the Data Controller no longer needs to process the data but said data is required for legal defence purposes; if there is opposition to the processing, while the necessary verifications are carried out – the data will be saved in such a way that it can be restored but, in the meantime, is not accessible to the Controller if not precisely in relation to the validity of your request for limitation).
f. Wholly or partially oppose the handling of your data for legitimate reasons (in certain situations, you may object to the processing of your data; in particular, if the personal data are processed for direct marketing, you have the right to object to its processing at any time, including to profiling to the extent that it is connected to direct marketing. If personal data is processed for the purposes of scientific or historic research or for statistical purposes, for reasons connected to your particular situation, you have the right to object to the processing, unless the processing is necessary for the fulfilment of a task carried out in the public interest);
g. Data portability (if the processing is based on consent or on a contract and is carried out with automated means, upon your request you will receive your personal data in a structured, commonly used and machine-readable format. You can then transmit said data to another Data Controller, without hindrance from the Controller who provided it and, if technically feasible, you may have the data transmitted directly by that Controller).
h. The right to lodge a complaint with the supervisory authority (the data protection authority, “Garante Privacy” in Italy).