MOD P 01 _ Rev.2
PERSONAL DATA PROCESSING DISCLOSURE
PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679 (“GDPR”)
SINAPSI Srl
Dear Customer, this information is provided by SINAPSI S.r.l., with registered office in Via delle Querce no. 11/13, Bastia Umbra (PG), Tax Code and VAT no. 02727730547 (hereinafter, the "Data Controller"), which, as data controller, informs you pursuant to Article 13 of EU Regulation no. 2016/679 (hereinafter, "GDPR") that the data you have already provided and that you will provide in the future as "data subject" will be processed in accordance with the principles of fairness, lawfulness, transparency and protection of your privacy and rights.
1) Data Controller
The data controller is "SINAPSI S.r.l.", with registered office in Via delle Querce no. 11/13, Bastia Umbra (PG), Tax Code and VAT no. 02727730547 on behalf of its legal representative Eng. Massimo Valerii.
The updated list of external Data Processors, Authorised Data Processors, and System Administrators is kept at the Data Controller's headquarters.
2) Categories of personal data processed
The Data Controller processes the personal data you provide or collected in connection with the conclusion of contracts for the purchase of the Data Controller's products and services.
In particular, the following Personal Data may be subject to processing:
- Identification Data: data that allows direct identification, such as personal data (i.e. name, surname, tax code, VAT number, address, etc.), provided to the Data Controller and processed for the purpose of signing and managing the contract;
- Consumption data: data relating to the supply and consumption levels recorded, collected and processed during the term of the contract;
- Economic and Financial Data: data necessary for payments (e.g. IBAN code) or that prove the execution of payments (payment identification details) and any other data relating to the customer’s solvency and punctuality;
- Contact data: contact information such as landline and/or mobile telephone numbers, e-mail address, provided to the Data Controller during the subscription phase or during the duration of the contract or acquired by the Data Controller, which enables to contact you for the purposes of managing the contractual relationship and/or to provide services tailored to your needs;
- Reserved area data: access to the reserved area of the Website is only allowed to registered customers through their "Profile". In this case the so-called "registration data", is necessary for registration and access to the reserved area and to use the services offered.
- Browsing data: the computer systems and software procedures used for the functioning and use of the Website and the App that are acquired during their normal operation, some personal data that allow users to be identified, the transmission of which is implicit in the use of Internet communication protocols. This type of data includes: validation and authentication information, the IP addresses or domain names of the computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of the resources requested, the date and time of access, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server and other parameters relating to the operating system and the user’s IT environment whose transmission is implicit in the use of web communication protocols or is useful for the better management and optimization of the data and e-mail sending system.
3) Data subject to processing
The processing of Personal Data, for the purposes of this policy, is understood to be any operation or set of operations, carried out manually and/or by computer or electronic means, with the use of automated processes and applied to Personal Data, such as gathering, recording, organising, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making information available, comparison or inter-connection, limitation, cancelling or deleting.
4) Data processing purposes
A) The provision of your Personal Data is necessary (Article 6 letters b), e) of the GDPR) in all cases where the processing takes place on the basis of a legal obligation, to execute a contract, to fulfill pre-contractual obligations or for the legitimate interest of the data controller. In the latter cases, any refusal would make it impossible to fulfil your needs and provide you with the services requested, and specifically to:
- allow the establishment of the contractual relationship with the Company;
- conclude contracts for the sale of the Data Controller's products and the provision of services, including the possibility of providing after-sales support and assistance;
- comply with pre-contractual, contractual and tax obligations relating to the relationship with you;
- allow the use of all the system functionalities and monitor they are functioning properly
- allow registration and/or access to the reserved area;
- verify the creditworthiness, including timely payments, before or during the contractual relationship;
- detect, prevent, mitigate and ascertain fraudulent or illegal activities in relation to the services provided;
- comply with the obligations established by law, by regulations, by EU legislation or by an order from Authorities (such as anti-money laundering);
- exercise the rights of the Data Controller, such as the right of defence in court.
- process a contact request received via e-mail or through the contact form on the website;
- allow Sinapsi Srl to carry out profiling activities by processing your personal data relating, for example, to your consumption preferences and/or your choices to purchase products or services offered by the Data Controller;
- allow the evolution and technological maintenance of the App.;
- allow the ascertainment of hypothetical computer-related crimes;
- allow statistical analysis of the use of the App, including to check its correct functioning and monitor security aspects;
- allow monitoring and evaluation regarding the use of the App by users.
B) The provision of your Personal Data is voluntary for the pursuit of additional purposes listed below so that the lack of consent in relation to these purposes will not, in any case, have any consequence on the conclusion and management of the contract. Consent for these purposes is always optional and, if given, may be revoked at any time, according to the methods described in the "Rights of the data subject" section of this Policy:
- informative newsletters: the issuing, via sms and/or e-mail, of informative and promotional communications by Sinapsi S.r.l. in relation to its initiatives and/or those of subsidiaries and/or related companies;
- special offers and promotions: the issuing via sms and/or e-mail as well as newsletters regarding special offers and promotions regarding our products and services;
- invitations to events or training courses: issuing via sms and/or e-mail as well as newsletters regarding invitations to events, workshops organised by Sinapsi or by third parties and training courses on our products;
- measuring satisfaction regarding the quality of the products purchased, via questionnaires and/or telephone contacts, aimed at improving communication and the services provided, and issuing commercial proposals by Sinapsi in line with the interests and tastes of the data subject.
5) Processing methods
The processing of your personal data may be carried out through the operations indicated in Art. 4, paragraph 2) of the GDPR and specifically: the collection, recording, organisation, storage, structuring, consultation, processing, modification, selection, extraction, comparison, use, interconnection, communication, transmission, dissemination or any other form of making the information available, blocking, disclosure, cancellation and destruction of data.
The data collected will be processed manually, electronically and/or by electronic or automated means using procedures strictly related to the purposes for which the personal data was collected and, in any case, in compliance with the security provisions established by Art. 32 of the G.D.P.R. 2016/679.
The Data Controller will process the personal data for the time necessary to fulfil the aforementioned purposes, and, in any case, for no more than 10 years from the termination of the relationship for the Service Purposes, and no more than 5 years from the collection of the data for the Marketing Purposes.
At the end of the storage period indicated above, the data will be destroyed, deleted or anonymised, subject to technical deletion and backup procedures.
6) Data Recipients
Data may be processed by external parties operating as Data Controllers such as, for example, banking institutions, authorities, supervisory and control bodies and in general subjects, both public and private, entitled to request the data.
Your data may be processed for the purposes set out in point 4) of this policy:
- by employees and collaborators of the Data Controller, in their capacity as Authorised Data Processors and/or system administrators;
- by external parties designated as Processors, who are given appropriate operating instructions. These entities are essentially:
- marketing and promotional-commercial campaign companies;
- companies that offer information system management and maintenance services;
- Professional firms that manage tax and accounting activities and that provide legal assistance;
- consultancy firms that manage personnel administration.
7) Transfer of personal data to countries not belonging to the European Union
Customers are informed that the data is stored on servers located in countries belonging to the European Community.
8) Rights of the Data Subject
With regard to the data processed under this policy, data subjects have the right, at any time, to:
- Access (Article 15 of EU Regulation No. 2016/679) the right to obtain confirmation as to whether or not personal data concerning them is being processed and, if so, to obtain access to their personal data;
- Rectification (Article 16 of EU Regulation no. 2016/679) - the right to obtain, without undue delay, the correction of inaccurate personal data concerning them and/or the integration of incomplete personal data;
- Deletion (Article 17 of EU Regulation no. 2016/679) - the right to obtain, without undue delay, the deletion of personal data concerning them. The right to deletion does not apply insofar as the processing is necessary for the fulfilment of a legal obligation or the execution of a task carried out in the public interest or for the establishment, exercise or defence of legal claims;
- Limitation (Art. 18 EU Regulation no. 2016/679) - the right to obtain the restriction of the processing;
- Portability (Article 20 of EU Regulation No. 2016/679) - understood as the right to obtain data from the Data Controller in a structured, commonly used and machine-readable format and to transmit it to another Data Controller without hindrance;
- Processing opposition (art. 21 EU Regulation no. 2016/679) - the right to object to the processing of personal data concerning them;
- Withdrawal of consent to the processing (art. 7, par. 3 EU Regulation no. 2016/679) - without prejudice to the lawfulness of the processing based on the consent acquired before the withdrawal and which obviously cannot concern cases in which the processing, for example, is necessary to comply with a legal obligation to which the data controller is subject or for carrying out a task in the public interest or related in the exercise of official authority vested in the data controller;
- To lodge a complaint with the Data Protection Authority (Article 51 of EU Regulation no. 2016/679).
Exercising the rights as a data subject is free of charge pursuant to Article 12 of the GDPR. However, in the event of manifestly unfounded or excessive requests, also due to their eventual repetitiveness, the Data Controller may charge a reasonable fee, in light of the administrative costs incurred to manage the request, or refuse to comply with the request.
Finally, we wish to inform you that the Data Controller may request further information necessary to confirm the identity of the data subject.
9. How to exercise your rights
You may exercise your rights at any time by sending:
- a registered letter with return receipt to SINAPSI s.r.l Via delle Querce n.11/13 – 06083 Bastia Umbra (PG)
- or by e-mail to the following address: privacy@sinapsitech.it
10) Minors under 18 years of age
The Data Controller's Services are not intended for minors under the age of 18 and the Data Controller does not intentionally collect personal information referring to minors. In the event that information regarding minors is unintentionally recorded, the Data Controller will delete it in a timely manner.