Dear Sir or Madam,
We wish to inform you that your personal data (the “Personal Data”) will be processed in compliance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (the “General Data Protection Regulation” or “GDPR”) and Decree 196/2003 as amended (the “Privacy Code”).
Pursuant to art. 13 of the General Data Protection Regulation, please note that the Controller is CSI S.p.A. (“CSI”), a sole shareholder company subject to management and coordination by IMQ Group S.r.l., with registered office at Cascina Traversagna 21 – 20030 Senago (MI) and operational and administrative office at viale Lombardia 20/B – 20021 Bollate (MI), Tax Code/VAT no. 11360160151; certified e-mail address: direzione-csi@legalmail.it.
As the Controller, CSI processes the Personal Data provided by each customer (the “Customer”) in compliance with this Policy on the processing of personal data. The Personal Data will be processed in compliance with the principles of legality, propriety and transparency and will be collected in a suitable and pertinent manner limited to the legitimate purposes of processing, as determined and made explicit in advance. The contact address of the Data Protection Officer (the “DPO”) is: dpo@imqgroup.it.
The Personal Data will be processed for the following purposes:
without need for express consent, the Personal Data will be processed:
a. to provide the service indicated in the offer (the “Service”) and for administrative-accounting purposes (“Contractual Purposes”);
b. to exercise or defend our rights, including in the context of credit collection procedures, even via third parties (“Legitimate Interests”);
Provision of the Personal Data for Contractual Purposes is necessary so that the requested Service can be provided; accordingly, in its absence, CSI will not be able to provide the requested Service. Personal Data is processed for Legitimate Interests pursuant to art. 6.f) of the General Data Protection Regulation in pursuit of the legitimate interests of CSI, which are fairly balanced with those of the Customer, as such processing is limited to that strictly necessary in order to provide the Service. Lastly, the processing of Personal Data for Marketing Purposes is optional and, therefore, the Customer may decide not to provide any data for those purposes or, subsequently, to deny any consent given previously by sending an e-mail to the DPO identified in point 7 of this Policy.
In that case, the Customer will not receive any newsletters, commercial communications or advertising materials about the services offered by CSI. The Customer will of course remain entitled to the Service for Contractual Purposes. The revocation of consent will not prejudice the lawfulness of any processing based on consent given prior to its revocation.
The Personal Data is processed via the operations indicated in art. 4.2) of the General Data Protection Regulation being, more specifically: the collection, recording, organisation, structuring, storage, consultation, adaptation or alteration, selection, retrieval, alignment, combination, use, blockage, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction of data.
The Personal Data will be stored on electronic media and in printed form, applying the measures deemed most suitable by the Controller in order to guarantee its security and confidentiality, and avoid any unauthorised access, dissemination, amendment or theft, by adopting suitable technical, physical and organisational security measures.
Within the limits specified in point 6 below, the Personal Data may be communicated to the following categories of recipient for Contractual Purposes: a) suppliers of support and consultancy services in the technology, accounting, administrative, legal and insurance sectors; b) banks; c) counterparties and related defence counsel; d) commercial partners that perform activities outsourced by CSI, as external Processors pursuant to art. 28 GDPR; e) Accreditation Agencies, Certification Bodies, Ministries, Institutions and Associations and, in general, all public and private parties to which communication is mandatory by law or under bilateral agreements reached in pursuit of the above purposes. For Legitimate Interests, the Personal Data may be transferred to the following categories of recipient: a) suppliers of support and consultancy services to CSI in relation to the collection and assignment of receivables, in their role as external Processors; b) competent authorities.
For Marketing Purposes, the Personal Data may be transferred to the following categories of recipient located in and, within the limits specified in point 6 below, outside of the European Union: a) third-party suppliers of support and consultancy services to CSI with regard to the sending of commercial communications; and b) other companies within the IMQ Group.
A complete list of Processors is available, upon request, in the manner specified in this Policy.
Personal Data may be transferred abroad for Contractual Purposes to countries within the European Union, but may also be transferred outside of the European Union and, in particular, to countries in which IMQ Group companies, Accreditation Agencies and other Certification Bodies are located. With reference to transfers outside of the European Union to countries not deemed adequate by the European Commission, CSI adopts suitable and appropriate security measures in order to protect the Personal Data.
Consequently, all transfers of Personal Data to countries located outside of the European Union will take place, in every case, in compliance with the suitable and appropriate guarantees obtained for the purpose of such transfers, such as standard contractual data protection clauses pursuant to the applicable regulations and, in particular, arts. 45 and 46 of the General Data Protection Regulation. In all cases, the Customer is entitled to obtain details of the suitable and appropriate guarantees obtained for transfer of the Personal Data and information about how to obtain a copy of that Personal Data, or where it has been made available.
For Marketing Purposes, Personal Data consisting solely of the e-mail address will be used to send communications via the platforms managed by Growens S.p.A. (“MailUp”) and SurveyMonkey. Both companies act as external Processors pursuant to art. 28 of the General Data Protection Regulation.
The Personal Data will be retained for the time strictly needed to achieve the purposes for which it was collected, as stated in this Policy. In all cases, the following retention deadlines will apply with regard to the processing of Personal Data for the purposes indicated below:
Pursuant to arts. 15-21 of the General Data Protection Regulation, the Customer may at any time exercise the rights of access, rectification or erasure (so-called “right to be forgotten”), restriction of processing and portability of the Personal Data, by sending a specific request to the DPO: dpo@imqgroup.it
The Customer is entitled to lodge a complaint with the Supervisory Authority being, for Italy, the Italian Data Protection Authority, in the manner envisaged on the website www.garanteprivacy.it.
This Policy may be amended and supplemented, even as a consequence of updates made to the applicable regulations that govern the processing of personal data. These amendments will be notified in advance and the Customer may read the latest text of the Policy, which is constantly kept updated, on the website of CSI.