Information notice on the processing of personal, identifiable, sensitive and judicial data according to the provisions of Legislative Decree no. 169/2003 and Regulation (EU) 2016/679 (GDPR)
The User, hereinafter also the “Data Subject” with meaning provided under letter “i” of art. no. 4 of Legislative Decree no. 196/03, i.e. any natural or legal person, body or association that is the subject of the personal data.”
- the User/Interested party is the person who accesses the website named www.lombardi.it (hereinafter also only WEBSITE), is an adult of greater age and possessing the ability to understand and want;
- pursuant to Article 23 ("Consent") of Legislative Decree no. 196/03 the processing of personal data by private individuals is allowed only with the express consent of the interested party freely provided and with specific reference to a treatment identified, as well as documented in writing and preceded by the information referred to in art. 13 Legislative Decree no.196/03; equally, in the application of Regulation (EU) 2016/679, 'Consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; in accordance once more with art. 23 ("Consent") of Legislative Decree no. 196/03 if the processing also concerns, or only, so-called "sensitive" data, the consent must be expressed in writing except in the cases referred to in art. 26 par. 4 letter “c” the content of which he or her declares to acknowledge along with the text indicated in note 1 at the end of this authorisation;
- in application of Regulation (EU) 2016/679, the term “Data Subject” means any identified or identifiable natural person, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- in application of Regulation (EU) No 2016/679 the term “Personal Data” means any information relating to the data subject, including personal details, telephone numbers, email addresses, business transactions and payments of money, including the amount, products purchased, the vendor's details and payment methods; the term 'Genetic Data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; the term 'Biometric Data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; the term 'Data Concerning Health' means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
- in application of Regulation (EU) No 2016/679 the term `Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction) of personal data related to other subjects; the term 'Cross-border processing' means processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
- in application of Regulation (EU) 2016/679, the term 'Profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- in application of Regulation (EU) 2016/679, the term 'Pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- in application of Regulation (EU) 2016/679, the term 'Data Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; the term 'Data Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; the term 'Recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not; the term `Third Party' means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;- in - in application of Regulation (EU) 2016/679, the term ‘Supervisory Authority’ means all authorities appointed to supervise the correct application of Regulation (EU) 2016/679 in the Italian Republic, more specifically it means the Italian Data Protection Supervisory Authority in Piazza di Monte Citorio no. 121 - 00186 Rome – pec:
For the purpose of this Information Notice, the term “Transaction” means the sale or trading of products according to the laws in force within the Italian Republic.
In accordance with the regulation foreseen by art. 13 (Information Notice) of Legislative Decree no. 196/03, the content of which is acknowledged and the complete text of which is provided in note 2 found at the end of this authorisation, and pursuant to art. 7 (“Conditions for consent”) and art. 12 of Regulation (EU) 2016/679, declares to have been informed of the following:
The identification data concerning the Data Controller are:
LOMBARDI CONVERTING MACHINERY S.P.A. - email: email@example.com.The Data Processor is Claudio Lombardi, the Legal Representative of the company Lombardi Converting Machinery S.p.A., and can be contacted at the following email address: firstname.lastname@example.org.
Any amendment to the details of the Data Processor shall be notified also contextually to the renewal of this consent, with the amendments foreseen pursuant to the Data Processor.
Personal Data shall be processed in a legitimate, correct and transparent manner for the purposes related to the use of the functions allowed by the WEBSITE.WEBSITE performs the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of personal data required for the WEBSITE to function.
Personal Data shall be collected for commercial based purposes, in compliance with the purpose for which the User/Data Subject registered or viewed the WEBSITE and, in any case, for purposes which are related and/or necessary to the WEBSITE management activities.
WEBSITE collects and processes the data also for its own and Third Party commercial purposes, including by way of example only, the profiling of Users, the analysis of purchase preferences, the comparison of prices and offers, the comparison of products, marketing and commercial promotion activities, as well as for the need to customise the WEBSITE offer to suit the tastes and needs of the User/Data Subject.
In any case, WEBSITE reserves the right to collect and process data for different purposes and/or in conflict with the interests of the User/Data Subject for its own legitimate interests and to fulfil the legal obligations of the Data Controller or the Data Processor.
Personal Data shall be processed exclusively for purposes pertinent to the use of the WEBSITE functions for which the User/Data Subject registered or viewed the WEBSITE.WEBSITE does not knowingly process the data of minors and, should it become aware of such inadvertent processing, shall immediately ensure erasure of the same.
Personal Data shall be exact and, where necessary, updated according to the indications provided by the User/Data Subject during the registration process.
Personal Data shall be retained for the time necessary to achieve the purposes for which they were collected.
All collected personal data shall be processed using systems that can ensure the security and exclude the whole, or partial, loss or destruction of the same.
To this purpose, it should be noted that the processing by the WEBSITE does not infer and considerable risks to the rights and freedom of natural persons; in any case, the processing does not concern racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation or criminal convictions; the profiling and marketing activities will therefore not be conducted on the basis of the aforementioned data, but solely according to the preferences related to the product purchased or viewed through the WEBSITE.
The acquisition and processing of Personal Data will also take place for the purposes of the anti-money laundering legislation as introduced by the Community Directive no. 2001/97, by Legislative Decree no. 56/2004 as amended and transposed, and by Ministerial Decrees of implementation, and is aware of the possibility that the same data shall be communicated to the Italian Exchange Office to verify the correct fulfilment of the aforementioned obligations. Conferral of personal data is purely optional and not mandatory, except where expressly provided by law, but is required in order to view and use the WEBSITE functions.
If the Data Subject is authorised to use mobile applications connected to the WEBSITE, data relating to the position of the data subject, including general information (e.g. IP address, postal code) and more specific information are also conferred, stored and processed, (e.g. GPS-based features found on mobile devices used to access the platform or specific features of the same). If the Data Subject accesses the WEBSITE from a mobile device and does not want the device to provide information on his or her location, the same can disable GPS or other location tracking features on the device, provided this is allowed by the device.
The User/Data Subject is aware of the processing of the "Log Data", which is automatically recorded by our servers or server spaces, including sites hosted by Third Parties, each time the User/Data Subject accesses or uses the WEBSITE, regardless of whether or not he or she is a registered user or has logged in to his or her account; such data are, by way of example only, the IP address, the date and time of access, text fonts, the hardware and software used to access the site, the source and target sites and URLs, the number of clicks, the pages viewed and the order of these pages, as well as the amount of time spent on particular pages. These data are also subject to separate consent that the Data Subject already issues to the Data Controller that performs the search engine activity in the web browser (e.g. Google) and can be used for analytics services and to track the User/Data Subject’s activities resulting from the interaction with WEB SITE.
No User personal data is acquired by the WEBSITE by means of the so-called cookies.
No cookies are used to transmit personal information and no form of the persistent cookies or user tracing systems are used. The use of session cookies (which are not permanently stored on the user’s computer and which are cancelled when the browser is closed) is strictly limited to the transmission of session identification data (consisting in random numbers generated by the server) which is required in order to ensure the website remains secure and efficient. The session cookies used on this website mean it is not necessary to use other data processing techniques which potentially compromise the navigation privacy levels for users and they do not consent the acquisition of personal data which can identify the user. This type of cookie integrates features developed by third-parties (Google Maps, Youtube videos, social network links, online payments, etc.) into the website pages to share the contents of the website or for the use of third-party software services (such as software generating maps and additional software that offer additional services). These cookies are sent from third-party domains and partner websites that offer their functions through the WEBSITE’s pages. You can view the conditions according to which the cookies are managed on your browser by visiting the website of the developer (e.g.: Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera, etc.).
The activities of the Data Subject party are tracked if he or she clicks on an advertisement for the WEBSITE services on Third Party sites or platforms such as search engines and social networks, whereby the User/Data Subject's activities are also tracked if he or she clicks on an advertisement of Third Parties on the WEBSITE.
WEBSITE collects, also on behalf of Third Parties, and allows Third Parties to collect information on the online activities of Users for the profiling of purchases made by the User for commercial purposes, including marketing activities.
WEBSITE may allow the User/Data Subject to connect to the WEBSITE with information from his or her device or from other social media sites and platforms, including, by way of example only, a list of contacts and related identification data; in this case WEBSITE shall collect and process the shared information in order to improve the use of the WEBSITE services by the User/Data Subject.
WEBSITE may allow the use of some services without prior registration, such as, for instance, transactions with unregistered Users. In this case, WEBSITE only collects the data strictly necessary to provide service granted to the unregistered User, including information on the device connecting to the WEBSITE, the technical data of use of the platform, the geolocation information necessary to allow and perform the Transaction and the data necessary for payments related to the Transaction.
If relative consent and provision of the necessary data is not granted, it will not be possible to continue to use the WEBSITE services.
The Data Controller shall not transfer personal data of Data Subjects to foreign or third countries.
The Data Subject shall be guaranteed all the rights foreseen by art. 7 Rights to access personal data and other rights) of Legislative Decree no. 196/03, the content of which is acknowledged and the complete text of which is provided in note 5 found at the end of this authorisation.
The User/Data Subject, pursuant to Regulation (EU) 2016/679, are guaranteed, by request to be sent to the Data Processor
- right of access (art. 15 of the Regulation (EU) to the data so as obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, the category of data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the existence of automated decision-making, including profiling, referred to in Article 22 paragraphs (1) and (4) of Regulation (EU) 2016/679;
- the right of rectification, including the integration of incomplete data (art. 16 of Regulation (EU) 2016/679);
- the right to erasure (art. 17 of said Regulation (EU) of data without undue delay by request of the Data Subject is mandatory if:
- they are no longer necessary for the Processing purpose;
- the Processing consent is revoked;
- the Data Subject objects to the processing under art. 21 of Regulation (EU) 2016/679;
- the data has been illicitly processed;
- the right to erasure is imposed by Italian or EU regulations.
- The cancellation obligation does not apply in cases that refer to the exercising the right to freedom of expression and information, the fulfilment of a legal obligation that imposes such processing, for reasons of public interest or public order imposing such processing or for judiciary related purposes requiring such processing.
- the right to restriction of processing (art. 18 of said Regulation (EU) when the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
- the obligation for the Controller to communicate (art. 19 of said Regulation (EU) and any personal data recipients regarding the erasure, rectification or restriction of processing.
- the right to data portability (art. 20 of said Regulation (EU) whereby the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format, also in multiple examples, by email to the address specifically indicated by the User/Data Subject on a gratuitous basis, and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, whereby the processing is carried out by automated systems as in this case;
- the right to object to the processing of one’s Personal Data (art. 21 of said Regulation (EU)) unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
- the right not to be subject to automated decision-making, including profiling, unless the same is necessary for entering into, or performance of, a contract between the data subject and a data controller; it is authorised by Union or Member State law or can be based on the data subject's explicit consent (art. 22 of said Regulation EU).
The Data Controller hereby declares that there are no specific risks related to the processing of the Personal Data of the Data Subject, that it has assessed all storage and processing burdens and risks, and to have carefully selected and put in place the best possible precautions to guarantee the confidentiality and inaccessibility of the personal data of the Data Subject.
The Data Controller reserves the right to use all improved data security systems including encoding, pseudonymisation and encryption of the processed personal data.
The Data Controller also declares the use of suitable anti-intrusion and violation protection systems also on servers, or server spaces, as available or in any case as used by Third Parties.
The processing of personal - identifiable - sensitive - judicial data shall be performed within the scope of art. 25 of Legislative Decree no. 196/03, the content of which the same declares to acknowledge, and the text of which is provided in note 6 included at the end of this authorisation, and for the declared purposes, and in addition to processing, may also be communicated and/or disseminated according to the technical meaning illustrated under letters a) and m) of paragraph 1 of art. 4 of Legislative Decree no. 196/03, with the text provided in not 7 included at the end of this authorisation. The WEBSITE Data Controller and owner may be involved in mergers, incorporations, acquisitions, spin-offs and, in this case, it may transfer its corporate assets, including personal data of the Data Subject, who acknowledges and accepts the same; in this case the Data Subject shall be informed before his or her personal data are transferred or otherwise subject to different policies and/or authorisations concerning the processing of personal data.
The Data Subject undertakes to keep his or her personal data updated and notify the Data Controller of any amendments or updates therein.
In view of the above:
The User/Data Subject spontaneously declares to authorise the processing of his or her personal data, in accordance with the foregoing and more generally the requirements of Legislative Decree no. 196/03 and Regulation (EU) 2016/679.
Information Notice under Legislative Decree no. 196 of 30 June 2003
1. ART. 26 par. 4 letter “c” - SAFEGUARDS APPLYING TO SENSITIVE DATA) “(...) 4. Sensitive data may also be processed without consent, subject to the authorisation of the Supervisory Authority: c) if the processing is necessary for carrying out the investigations by defence counsel referred to in Law no. 397 of 07.12.2000, or else to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary. Said claim must not be overridden by the data subject’s claim, or else must consist in a personal right or another fundamental, inviolable right or freedom, if the data can disclose health and sex life;
2. ART. 13 - INFORMATION NOTICE: “1. The data subject as well as any entity from whom or which personal data are collected shall be preliminarily informed, either orally or in writing, as to: a) the purposes and modalities of the processing for which the data are intended; b) the obligatory or voluntary nature of providing the requested data; c) the consequences of any refusals; d) the entities or categories of entity to whom or which the data may be communicated, or who/which may get to know the data in their capacity as data processors or persons in charge of the processing, and the scope of dissemination of said data; e) the rights as per Section 7; f) the identification data concerning the data controller and, where designated, the data controller’s representative in the State’s territory pursuant to Section 5 and the data processor. If several data processors have been designated by the Data Controller, at least one among them shall be referred to and either the site on the communications network or the mechanisms for easily accessing the updated list of Data Processors shall be specified. If a Data Processor has been designated to provide responses to Data Subjects in the event they exercise their rights as per Article 7, such data processor shall be their reference. 2. The information as per paragraph 1 shall also contain the items referred to in specific provisions of this Code and may fail to include certain items if the latter are already known to the entity providing the data or their knowledge may concretely impair supervisory or control activities carried out by public bodies for purposes related to defence or State security, or else for the prevention, suppression or detection of offences. 3. The Supervisory Authority may issue a provision to set out simplified information arrangements as regards, in particular, telephone services providing assistance and information to the public. 4. Whenever the personal data are not collected from the data subject, the information as per paragraph 1, also including the categories of processed data, shall be provided to the data subject at the time of recording such data or, if their communication is envisaged, no later than when the data are first communicated. 5. Paragraph 4 shall not apply: a) if the data are processed in compliance with an obligation imposed by a law, regulations or Community legislation; b) if the data are processed either for carrying out the investigations by defence counsel as per Act no. 397 of 07.12.2000 or to establish or defend a legal claim, provided that the data are processed exclusively for said purposes and for no longer than is necessary therefore;c) if the provision of information to the data subject involves an effort that is declared by the Supervisory Authority to be manifestly disproportionate compared with the right to be protected, in which case the Supervisory Authority shall lay down suitable measures, if any, or if it proves impossible in the opinion of the Supervisory Authority.
3. ART.4 – DEFINITIONS: (...). B) < personal data >, any information referring to a physical person, juridical person, entity or association, identified or identifiable, even indirectly, through reference to any other information, including a personal identification number. c) < identification data >, shall mean personal data allowing a data subject to be directly identified; d) < sensitive data >, shall mean personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life; e) < judicial data >, shall mean personal data disclosing the measures referred to in Section 3(1), letters a) to o) and r) to u), of Presidential Decree no. 313 of 14 November 2002 concerning the criminal record office, the register of offence-related administrative sanctions and the relevant current charges, or the status of being either defendant or the subject of investigations pursuant to Sections 60 and 61 of the Criminal Procedure Code;
4. ART.4 – DEFINITIONS: (...). f) < data Controller >, shall mean any natural or legal person, public administration, body, association or other entity that is competent, also jointly with another data controller, to determine purposes and methods of the processing of personal data and the relevant means, including security matters; g) < data Processor >, shall mean any natural or legal person, public administration, body, association or other agency that processes personal data on the controller’s behalf; h) < persons in charge of the processing > shall mean the natural persons that have been authorised by the data controller or processor to carry out processing operations.
5. ART. 7 - RIGHTS TO ACCESS PERSONAL DATA AND OTHER RIGHTS 1. The Data Subject has the right to request confirmation as to whether or not personal data concerning him/her exists, regardless of their being already recorded, and communication of such data in an intelligible form. 2. In particular, the Data Subject has the right to obtain indications on: a) the source of the personal data; b) the purposes and methods of the processing; c) the logic applied to processing if the same is carried out with the use of electronic means; d) the personal data of the Controller, the persons in charge and the designated representatives pursuant to Art.5 paragraph 2; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of such data in their capacity as Representatives for the Country, Chief Processors or Designated Officers. 3. The Data Subject has the right to obtain indications on : a) updating, rectification or, where interested therein, integration of the data; b) erasure, anonymisation or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed; c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected. 4. The Data Subject is entitled to object, totally or partially: a) on legitimate grounds, the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;b) the processing of his/her personal data for the distribution of advertising materials or direct sales or for market research or business communications.
6. ART. 25 (BANS ON COMMUNICATION AND DISSEMINATION) “1. Communication and dissemination shall be prohibited if an order to this effect has been issued by either the Supervisory Authority or judicial authorities: a) with regard to personal data that must be erased by order, or else upon expiry of the term referred to in Section 11(1), letter e), b) for purposes other than those specified in the notification, whenever the latter is to be submitted. 2. This shall be without prejudice to communication and dissemination of the data as requested, pursuant to law, by police, judicial authorities, intelligence and security agencies and other public bodies according to Section 58(2), for purposes of defence or relating to State security, or for the prevention, detection or suppression of offences.
7. ART.4 – DEFINITIONS: (...). a < processing >shall mean any operation, or set of operations, carried out with or without the help of electronic or automated means, concerning the collection, recording, organisation, keeping, interrogation, elaboration, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, dissemination, erasure and destruction of data, whether the latter are contained or not in a data bank; l) < communication >shall mean disclosing personal data to one or more identified entities other than the data subject, the data controller’s representative in the State’s territory, the data processor and persons in charge of the processing in any form whatsoever, including by making available or interrogating such data; m) < dissemination > shall mean disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data.