Information notice on the processing of personal, identifiable, sensitive and judicial data according to the provisions of Legislative Decree no. 169/2003 and Regulation (EU) 101/2018 (GDPR) and Legislative Decree no. 101/2018
The User, hereinafter also the “Data Subject” with meaning provided under letter “i” of art. no. 4 of Legislative Decree no. 196/03, i.e. any natural or legal person, body or association that is the subject of the personal data.”
- the User/Interested party is the person who accesses the website named www.lombardi.it (hereinafter also only WEBSITE), is an adult of greater age and possessing the ability to understand and want;
- pursuant to Article 23 ("Consent") of Legislative Decree no. 196/03 the processing of personal data by private individuals is allowed only with the express consent of the interested party freely provided and with specific reference to a treatment identified, as well as documented in writing and preceded by the information referred to in art .13 Legislative Decree no.196/03; equally, in the application of Regulation (EU) 2016/679, 'Consent ' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; in accordance once more with art .23 ('Consent') of Legislative Decree no. 196/03 if the processing also concerns, or only, so-called "sensitive" data, the consent must be expressed in writing except in the cases referred to in art. 26 par. 4 letter “c” the content of which he or her declares to acknowledge along with the text indicated in note 1 at the end of this authorisation;
- in application of Regulation (EU) 2016/679, the term 'Data Subject' means any identified or identifiable natural person, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- in application of Regulation (EU) 2016/679 the term 'Personal Data' means any information, of whatever nature, relating to the Data Subject; the term 'Genetic Data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; the term 'Biometric Data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; the term 'Data Concerning Health' means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
- in application of Regulation (EU) No 2016/679 the term 'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction) of personal data related to other subjects; the term 'Cross-border processing' means processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
- in application of Regulation (EU) No 2016/679 the term 'Profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- in application of Regulation (EU) No 2016/679 the term 'Pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- in application of Regulation (EU) No 2016/679 the term 'Data Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; the term 'Data Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; the term 'Recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
the term 'Third Party' means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- in application of Regulation (EU) No 2016/679 the term ‘Supervisory Authority’ means all authorities appointed to supervise the correct application of Regulation (EU) 2016/679 in the Italian Republic, more specifically it means the Italian Data Protection Supervisory Authority in Piazza di Monte Citorio no. 121 - 00186 Rome - pec firstname.lastname@example.org.
In accordance with the regulation foreseen by art. 13 (Information Notice) of Legislative Decree no. 196/03, the content of which is acknowledged and the complete text of which is provided in note 2 found at the end of this authorisation, and pursuant to art. 7 ('Conditions for consent') and art. 12 of Regulation (EU) 2016/679, declares to have been informed of the following:
The identification data concerning the Data Controller are:
LOMBARDI CONVERTING MACHINERY S.P.A. - email: email@example.com.
The Data Processor is Claudio Lombardi, the Legal Representative of the company Lombardi Converting Machinery S.p.A., and can be contacted at the following email address: firstname.lastname@example.org.
Any amendment to the details of the Data Processor shall be notified also contextually to the renewal of this consent, with the amendments foreseen pursuant to the Data Processor.
Personal Data shall be processed in a legitimate, correct and transparent manner for the purposes related to the use of the functions allowed by the WEBSITE.
WEBSITE performs the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of personal data required for the WEBSITE to pursue its purposes, to provide the in-line services provided by the WEBSITE for administration, management, organisational, tax and accounting activities of the Data Controller.
Personal Data shall also be collected for commercial based purposes, in compliance with the purpose for which the User/Data Subject registered with the WEBSITE and, in any case, for purposes which are related and/or necessary to the WEBSITE management activities, excluding - therefore - any use other than and/or in conflict with the interests of the User/Data Subject, except the legal obligations of the Data Controller or the Data Processor.
Personal Data shall be processed exclusively for purposes pertinent to the use of the WEBSITE functions for which the User/Data Subject registered with the WEBSITE.
Personal Data shall be exact and, where necessary, updated according to the indications provided by the User/Data Subject during the registration process.
Personal Data shall be retained for the time necessary to perform the allowed processing and for a maximum further ten years from the termination of the allowed processing. In any case the processing can never exceed said period, except for express renewal of consent as required by the Data Subject.
Personal data shall be processed using suitable procedures to guarantee security and exclude any loss or destruction, even partial, of the same (e.g. daily incremental and differential system back-ups, storage of copies on icloud spaces or networks, antivirus systems, changing of data access passwords for the data processors appointed by the Processing Data Controller at suitable intervals).
To this purpose, it should be noted that the processing by the WEBSITE does not infer and considerable risks to the rights and freedom of natural persons; in any case, the processing does not concern racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation or criminal convictions; the profiling and marketing activities will therefore not be conducted on the basis of the aforementioned data, but solely according to the preferences related to the product purchased or viewed through the WEBSITE platform.
The acquisition and processing of Personal Data will also take place for the purposes of the anti-money laundering legislation as introduced by the Community Directive no. 2001/97, by Legislative Decree no. 56/2004 as amended and transposed, and by Ministerial Decrees of implementation, and is aware of the possibility that the same data shall be communicated to the Italian Exchange Office to verify the correct fulfilment of the aforementioned obligations.
Conferral of personal data is purely optional and not mandatory, except where expressly provided by law, but is required in order to register with the WEBSITE and the relative Processing is a mandatory registration condition.
Personal Data are collected every time the Data Subject accesses the WEBSITE for registration and to access to manage/use the services provided y the same, or connect his or her account on a third-party site to his or her own account on the WEBSITE where allowed by the latter.
If the Data Subject is authorised to use mobile applications connected to the WEBSITE, data relating to the position of the data subject, including general information (e.g. IP address, postal code) and more specific information are also conferred, stored and processed, (e.g. GPS-based features found on mobile devices used to access the platform or specific features of the same). If the Data Subject accesses the WEBSITE from a mobile device and does not want the device to provide information on his or her location, the same can disable GPS or other location tracking features on the device, provided this is allowed by the device.
The User/Data Subject is aware of the processing of the 'Log Data', which is automatically recorded by our servers or server spaces, including sites hosted by Third Parties, each time the User/Data Subject accesses or uses the WEBSITE, regardless of whether or not he or she is a registered user or has logged in to his or her account; such data are, by way of example only, the IP address, the date and time of access, text fonts, the hardware and software used to access the site, the source and target sites and URLs, the number of clicks, the pages viewed and the order of these pages, as well as the amount of time spent on particular pages. These data are also subject to separate consent that the Data Subject already issues to the Data Controller that performs the search engine activity in the web browser (e.g. Google) and can be used for analytics services and to track the User/Data Subject’s activities resulting from the interaction with WEB SITE.
No User personal data is acquired by the WEBSITE by means of the so-called cookies. No cookies are used to transmit personal information and no form of the persistent cookies or user tracing systems are used. The use of session cookies (which are not permanently stored on the user’s computer and which are cancelled when the browser is closed) is strictly limited to the transmission of session identification data (consisting in random numbers generated by the server) which is required in order to ensure the website remains secure and efficient. The session cookies used on this website mean it is not necessary to use other data processing techniques which potentially compromise the navigation privacy levels for users and they do not consent the acquisition of personal data which can identify the user. This type of cookie integrates features developed by third-parties (Google Maps, Youtube videos, social network links, online payments, etc.) into the website pages to share the contents of the website or for the use of third-party software services (such as software generating maps and additional software that offer additional services).
These cookies are sent from third-party domains and partner websites that offer their functions through the website’s pages. You can view the conditions according to which the cookies are managed on your browser by visiting the website of the developer (e.g.: Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera, etc.).
WEBSITE may consent to the collection of the online activities of Users to Third Parties.
The Data Subjects consents to the transmission of Personal Data to Third-Parties, including sensitive and judicial data (e.g. Lawyers, Website management and maintenance service providers, management of software used by the Data Controller's organisation, Accountants for tax and accounting requirements related to the Data Controller's business operations).
WEBSITE may use social media plugins provided and managed by Third Parties, (such as the Facebook like icon, or similar Instagram, Linkedin or Youtube applications); using such plugins, the Data Subject may send information on what he or she is viewing in a specific section of the WEBSITE to Third Parties. If the Data Subject has not logged into his or her Third Party account, the Third Party should not be aware of his or her identity unless consent to the processing of personal data is provided by the Data Subject directly to the Third Party.
If the Data Subject has logged into his or her Third Party account, then the Third Party may be able to link information relating to the visit of the Data Subject to the WEBSITE to his or her Third Party account. Similarly, its interactions with the social media plugin may be recorded by the Third Party. These methods used to access the data of Data Subjects by the Third Party are beyond the control of the WEBSITE and the processing is not performed by the Data Controller or by the WEBSITE Data Processor, but by the Third Party to whom the Data Subject should have granted relative consent to such data processing.
If the data required for the registration and browsing of the WEBSITE is not collected, it will be impossible to accept and proceed with the registration; the account will not be enabled or will be cancelled if the consent to the Processing of the Personal Data is denied.
WEBSITE may consent to the collection by Third Parties, previously authorised by the User/Data Subject, on the online activities of Users also relating to the profiling of purchases made by the User for commercial purposes.
WEBSITE collects and processes the data also for its own and Third Party commercial purposes, including by way of example only, the profiling of Users (e.g. Google Analytics, Google Font) , the analysis of purchase preferences, the comparison of prices and offers, the comparison of products, marketing and commercial promotion activities, as well as for the need to customise the WEBSITE offer to suit the tastes and needs of the User/Data Subject.
If consent to the processing of personal data is granted, of whatever nature including sensitive, judicial, genetic, biometric or concerning health, within the limits and for the purposes related to the authorised Processing, Italian Authorities and Judiciary Authorities may access the same for their related institutional requirements and, therefore, subjects within such bodies designated to the collection and/or processing of the same.
The Data Controller may transfer personal data of Data Subjects to foreign or third countries depending on the payment methods chosen by the Data Subject.
The Data Subject shall be guaranteed all the rights foreseen by art. 7 Rights to access personal data and other rights) of Legislative Decree no. 196/03, the content of which is acknowledged and the complete text of which is provided in note 5 found at the end of this authorisation.
The User/Data Subject, pursuant to Regulation (EU) 2016/679, are guaranteed, by request to be sent to the Data Processor:
- right of access (art. 15 of the Regulation (EU) to the data so as obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, the category of data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the existence of automated decision-making, including profiling, referred to in Article 22 paragraphs (1) and (4) of Regulation (EU) 2016/679;
- the right of rectification, including the integration of incomplete data (art. 16 of Regulation (EU) 2016/679);
- the right to erasure (art. 17 of said Regulation (EU) of data without undue delay by request of the Data Subject is mandatory if:
ï they are no longer necessary for the Processing purpose;
ï the Processing consent is revoked;
ï the Data Subject objects to the processing under art. 21 of Regulation (EU) 2016/679;
ï the data has been illicitly processed;
ï the right to erasure is imposed by Italian or EU regulations.
The cancellation obligation does not apply in cases that refer to the exercising the right to freedom of expression and information, the fulfilment of a legal obligation that imposes such processing, for reasons of public interest or public order imposing such processing or for judiciary related purposes requiring such processing.
- the right to restriction of processing (art. 18 of said Regulation (EU) when the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
- the obligation for the Controller to communicate (art. 19 of said Regulation (EU) and any personal data recipients regarding the erasure, rectification or restriction of processing.
- the right to data portability (art. 20 of said Regulation (EU) whereby the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format, also in multiple examples, by email to the address specifically indicated by the User/Data Subject on a gratuitous basis, and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, whereby the processing is carried out by automated systems as in this case;
- the right to object to the processing of one’s Personal Data (art. 21 of said Regulation (EU)) unless the controller demonstrates compelling legitimate grounds
to proceed with the processing regardless.
- the right not to be subject to automated decision-making, including profiling, unless the same is necessary for entering into, or performance of, a contract between the data subject and a data controller; it is authorised by Union or Member State law or can be based on the data subject's explicit consent (art. 22 of said Regulation EU).
The Data Controller hereby declares that there are no specific risks related to the processing of the Personal Data of the Data Subject, that it has assessed all storage and processing burdens and risks, and to have carefully selected and put in place the best possible precautions to guarantee the confidentiality and inaccessibility of the personal data of the Data Subject.
The Data Controller reserves the right to use all improved data security systems including encoding, pseudonymisation and encryption of the processed personal data.
The processing of personal - identifiable - sensitive - judicial data shall be performed within the scope of art. 25 of Legislative Decree no. 196/03, the content of which the same declares to acknowledge, and the text of which is provided in note 6 included at the end of this authorisation, and Regulation (EU) 2016/679, and for the declared purposes, and in addition to processing, may also be communicated and/or disseminated according to the technical meaning illustrated under letters a) and m) of paragraph 1 of art. 4 of Legislative Decree no. 196/03, with the text provided in not 7 included at the end of this authorisation.
The WEBSITE Data Controller and owner may be involved in mergers, incorporations, acquisitions, spin-offs and, in this case, it may transfer its corporate assets, including personal data of the Data Subject, who acknowledges and accepts the same; in this case the Data Subject shall be informed before his or her personal data are transferred or otherwise subject to different policies and/or authorisations concerning the processing of personal data.
The Data Subject undertakes to keep his or her personal data updated and notify the Data Controller of any amendments or updates therein.
Pursuant to the foregoing, the User/Data Subject spontaneously declares to authorise the processing of his or her personal data, in accordance with the foregoing and more generally the requirements of Legislative Decree no. 196/03 and Regulation (EU) 2016/679.
Pursuant to the foregoing,
The User/Data Subject spontaneously declares to authorise the processing of his or her personal data, in accordance with the foregoing and more generally the requirements of Legislative Decree no. 196/03 and Regulation (EU) 2016/679, the processing of his or her personal data for commercial purposes, including profiling, marketing and sending of commercial and promotional communications.
Information Notice under Legislative Decree no. 196 of 30 June 2003
1. ART. 26 par. 4 letter “c” - SAFEGUARDS APPLYING TO SENSITIVE DATA) “(...) 4. Sensitive data may also be processed without consent, subject to the authorisation of the Supervisory Authority: c) if the processing is necessary for carrying out the investigations by defence counsel referred to in Law no. 397 of 07.12.2000, or else to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary. Said claim must not be overridden by the data subject’s claim, or else must consist in a personal right or another fundamental, inviolable right or freedom, if the data can disclose health and sex life;
2. ART. 13 - INFORMATION NOTICE: “1. The data subject as well as any entity from whom or which personal data are collected shall be preliminarily informed, either orally or in writing, as to: a) the purposes and modalities of the processing for which the data are intended; b) the obligatory or voluntary nature of providing the requested data; c) the consequences of any refusals; d) the entities or categories of entity to whom or which the data may be communicated, or who/which may get to know the data in their capacity as data processors or persons in charge of the processing, and the scope of dissemination of said data; e) the rights as per Section 7; f) the identification data concerning the data controller and, where designated, the data controller’s representative in the State’s territory pursuant to Section 5 and the data processor. If several data processors have been designated by the Data Controller, at least one among them shall be referred to and either the site on the communications network or the mechanisms for easily accessing the updated list of Data Processors shall be specified. If a Data Processor has been designated to provide responses to Data Subjects in the event they exercise their rights as per Article 7, such data processor shall be their reference. 2. The information as per paragraph 1 shall also contain the items referred to in specific provisions of this Code and may fail to include certain items if the latter are already known to the entity providing the data or their knowledge may concretely impair supervisory or control activities carried out by public bodies for purposes related to defence or State security, or else for the prevention, suppression or detection of offences. 3. The Supervisory Authority may issue a provision to set out simplified information arrangements as regards, in particular, telephone services providing assistance and information to the public. 4. Whenever the personal data are not collected from the data subject, the information as per paragraph 1, also including the categories of processed data, shall be provided to the data subject at the time of recording such data or, if their communication is envisaged, no later than when the data are first communicated. 5. Paragraph 4 shall not apply: a) if the data are processed in compliance with an obligation imposed by a law, regulations or Community legislation; b) if the data are processed either for carrying out the investigations by defence counsel as per Act no. 397 of 07.12.2000 or to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefore; c) if the provision of information to the data subject involves an effort that is declared by the Supervisory Authority to be manifestly disproportionate compared with the right to be protected, in which case the Supervisory Authority shall lay down suitable measures, if any, or if it proves impossible in the opinion of the Supervisory Authority.
3. ART.4 – DEFINITIONS: (...). b) < personal data >, any information referring to a physical person, juridical person, entity or association, identified or identifiable, even indirectly, through reference to any other information, including a personal identification number. c) < identification data >, shall mean personal data allowing a data subject to be directly identified; d) < sensitive data >, shall mean personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life; e) < judicial data >, shall mean personal data disclosing the measures referred to in Section 3(1), letters a) to o) and r) to u), of Presidential Decree no. 313 of 14 November 2002 concerning the criminal record office, the register of offence-related administrative sanctions and the relevant current charges, or the status of being either defendant or the subject of investigations pursuant to Sections 60 and 61 of the Criminal Procedure Code;
4. ART.4 – DEFINITIONS: (...). f) < data Controller >, shall mean any natural or legal person, public administration, body, association or other entity that is competent, also jointly with another data controller, to determine purposes and methods of the processing of personal data and the relevant means, including security matters; g) < data Processor >, shall mean any natural or legal person, public administration, body, association or other agency that processes personal data on the controller’s behalf; h) < persons in charge of the processing > shall mean the natural persons that have been authorised by the data controller or processor to carry out processing operations.
5. ART. 7 - RIGHTS TO ACCESS PERSONAL DATA AND OTHER RIGHTS 1. The Data Subject has the right to request confirmation as to whether or not personal data concerning him/her exists, regardless of their being already recorded, and communication of such data in an intelligible form. 2. In particular, the Data Subject has the right to obtain indications on: a) the source of the personal data; b) the purposes and methods of the processing; c) the logic applied to processing if the same is carried out with the use of electronic means; d) the personal data of the Controller, the persons in charge and the designated representatives pursuant to Art.5 paragraph 2; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of such data in their capacity as Representatives for the Country, Chief Processors or Designated Officers. 3. The Data Subject has the right to obtain indications on : a) updating, rectification or, where interested therein, integration of the data; b) erasure, anonymisation or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed; c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected. 4. The Data Subject is entitled to object, totally or partially: a) on legitimate grounds, the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection; b) the processing of his/her personal data for the distribution of advertising materials or direct sales or for market research or business communications.
6. ART. 25 (BANS ON COMMUNICATION AND DISSEMINATION) “1. Communication and dissemination shall be prohibited if an order to this effect has been issued by either the Supervisory Authority or judicial authorities: a) with regard to personal data that must be erased by order, or else upon expiry of the term referred to in Section 11(1), letter e), b) for purposes other than those specified in the notification, whenever the latter is to be submitted. 2. This shall be without prejudice to communication and dissemination of the data as requested, pursuant to law, by police, judicial authorities, intelligence and security agencies and other public bodies according to Section 58(2), for purposes of defence or relating to State security, or for the prevention, detection or suppression of offences.
7. ART.4 – DEFINITIONS: (...). a < processing >shall mean any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data, whether the latter are contained or not in a data bank; l) < communication >shall mean disclosing personal data to one or more identified entities other than the data subject, the data controller’s representative in the State’s territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data; m) < dissemination > shall mean disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data.