Art. 13 – 14 of REG. (EU) 679/2016
PERSONAL DATA PROTECTION POLICY FOR CUSTOMERS – SUPPLIERS – THIRD PARTIES OF DIEMME S.R.L.
Updated June 2018
This policy may be subject to changes as a result of the introduction of new laws or new procedures implemented by DIEMME s.r.l. Therefore, we ask that you periodically visit the “Privacy Policy for Customers – Suppliers – Third Parties” section of our website www.diemmeoffice.com to check for updates.
For further information, clarifications, or to exercise the rights listed in this privacy policy, please contact dm@diemmeoffice.com or – with a return receipt letter – DIEMME s.r.l., registered offices in Via del Lavoro n. 25 – Codogné (TV)
Table of contents
1. General privacy information
2. Definition of personal data and data processing
3. Identification of the Data Controller, Data Processor and those tasked with processing
3.1 Data Controller
3.2 Data Processor
3.3 Those tasked with processing
4. Purpose of data processing and other related information
4.1 Processing for pre-contractual and contractual purposes relating to Customers
4.2 Processing for pre-contractual and contractual purposes relating to Suppliers
4.3 Processing for courtesy purposes relating to Customers and Suppliers
4.4 Processing for the evaluation of Third-party CVs
4.5 Processing for marketing and newsletters for Customers, Suppliers and Third parties
4.6 Processing carried out through the website in relation to users (Contact forms – Newsletters – Cookies)
4.7 Closing clause on data processing
5. The rights of the Customer – Supplier – Third Party
6. Safety measures
1. GENERAL PRIVACY INFORMATION
With this Privacy Policy, DIEMME s.r.l., Via del Lavoro n. 25 – Codogné (TV), VAT (IVA) n. IT03126650260, Economic and Administrative (REA) index n. 222188, Treviso Chamber of Commerce, in the person of the pro-tempore legal representative, as the Data Controller, wishes to inform you about the processing of your personal data pursuant to Reg. (EU) 2016/679, which establishes the rules on the protection and safeguarding of natural persons with regard to the processing of their personal data.
This Privacy Policy regulates the processing of data for the purposes described in point 4 et seq. For all processing carried out through our website www.diemmeoffice.com please see the “Website Privacy Policy” link on the website itself.
Personal data processing is based on the principles of fairness, lawfulness, transparency and protection of the Customer’s privacy as well as the safeguarding of his/her rights. DIEMME s.r.l. is committed to observing the aforementioned principles and, to that end, wishes to immediately inform you that (except for processing for which explicit consent is required by law), by providing your personal data, you thereby accept and agree to be bound by the terms and conditions found in this Policy.
Reg. (EU) 679/2016 establishes enhanced protections for those under 16 years old. For this reason, we can process the data of people under 16 years old only if consent is given in advance or authorized by a parent or legal guardian.
In any event, DIEMME s.r.l. would like to provide information on the concept of personal data processing, the people who handle said data, the main processing activities that our company implements and the rights of the data subject.
2. DEFINITION OF PERSONAL DATA AND DATA PROCESSING
Personal data is understood to mean all the information that identifies a natural person or makes that person identifiable. This is information that makes it possible to identify the data subject directly (such as name, surname or tax ID) or even indirectly (such as online ID number or profiling cookies, if they are used on the website).
Personal data processing, on the other hand, is understood to mean any operation or set of operations performed with or without automated processes and applied to personal data or sets of personal data, such as its collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. IDENTIFICATION OF THE DATA CONTROLLER, DATA PROCESSOR AND THOSE TASKED WITH PROCESSING
3.1 Data Controller
The Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Data Controller is also responsible for security profiles. In relation to the processing of your personal data, the Data Controller is DIEMME S.R.L., in the person of a pro-tempore legal representative, further specified in the epigraph. For further clarifications or to exercise your rights, you may contact the Data Controller at the above-indicated addresses.
3.2 Data Processor
The Data Processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. In relation to your personal data, the Data Controller has appointed the following people/companies as external data processors:
- the company’s accounting firm, which will only process the data necessary to adhere to the tax or accounting requirements that the Data Controller is subject to by law;
- the web company that has created our website, which, following the browsing of our site, may process some personal data;
- the sole proprietorship that is responsible for the assistance and maintenance of our computer systems, who may process some of personal data.
For more information on the type of data being processed, the processing methods and the names of the companies involved, please contact the aforementioned addresses. The appointment of the aforementioned entities, as well as the scope of their responsibilities, is limited to the already-mentioned processing areas.
3.3 Those tasked with processing
As far as those tasked with processing are concerned, that is, the natural persons who process personal data within the company, DIEMME has formally appointed its employees to this role. Each one of them has been instructed and trained, in relation to the type of activity to carry out within the company, to carefully process personal data.
For more information about said persons, please contact us at the aforementioned addresses.
4. PURPOSE OF DATA PROCESSING AND OTHER RELATED INFORMATION
4.1 Processing for pre-contractual and contractual purposes relating to Customers
Data that we may process
That of the Customer: name, surname, tax ID, VAT no., company name, registered and operational addresses, email, telephone no., bank no., names and surnames of the Customer’s employees if the Customer is a legal person, or names and surnames of the Customer’s relatives if a natural person.
Legal basis for processing
Implementation of pre-contractual measures adopted upon request of the data subject (such as a request for an estimate), implementation of the contract (e.g., the sale contract), or legal obligations (e.g. tax requirements, etc.).
Obligatory or voluntary nature of the provision of personal data
The Customer is not required to provide the aforementioned personal data. However, the refusal to provide said data will result in DIEMME s.r.l. being unable to provide estimates or carry out the activities present in the contract.
Disclosure of personal data
To comply with contractual or legal obligations, some of the aforementioned data may be disclosed to banks, financial institutions, insurance agencies or public entities. To defend its rights, DIEMME s.r.l. may also disclose said data to attorneys. In any case, the data shall be disclosed to company employees who are formally trained in their protection or to entities appointed as external data processors.
Disclosure of personal data to extra-EU countries
Personal data will not be disclosed to countries outside the EU. Our servers are located in Italy.
Processing methods
Using IT/computer systems (e.g., through the use of computers or other management systems) and paper-based systems (e.g. printed documents).
Data storage terms
If the estimate is not accepted, the data that has been provided for the preparation of the offer will be erased immediately. However, should the contract be entered into, personal data will be stored for 10 years from the termination of the contractual relationship for the legal, fiscal and accounting reasons imposed on the company by law.
Closure clause
The Customer, upon reading this Policy, hereby declares to provide it, without delay, to all employees or relatives that may provide personal data to our company.
4.2 Processing for pre-contractual and contractual purposes relating to Service Suppliers
Data that we may process
From Service Suppliers: name, surname, VAT no., registered or operational offices, bank no., email address, telephone no., names and surnames of the Supplier’s employees if a legal person, etc.
Legal basis for processing
Implementation of pre-contractual measures adopted upon request of the data subject (such as DIEMME s.r.l. requesting an estimate from the Supplier), implementation of the contract (e.g., stipulation of the sale contract), or legal obligations (e.g. tax requirements, etc.).
Obligatory or voluntary nature of the provision of personal data
The Service Supplier is not required to provide the aforementioned data. However, without said data, DIEMME s.r.l. will be unable to assess the possibility of stipulating a service contract with the Supplier and/or proceed with its stipulation.
Disclosure of personal data
To comply with contractual or legal obligations, some of the aforementioned data may be disclosed to banks, insurance agencies or public entities. To defend its rights, we may also disclose said data to attorneys. In any case, data shall be disclosed to company employees who are formally trained in their protection or to entities appointed as external data processors.
Disclosure of personal data to extra-EU countries
Data will not be transferred to countries outside the EU. Our servers are located in Italy.
Processing methods
Using IT/computer systems (e.g., through the use of computers or other management systems) and paper-based systems (e.g. printed documents).
Data storage terms
If DIEMME s.r.l. does not accept the estimate, the data provided for the preparation of said offer will be erased immediately. However, should the contract be entered into, personal data will be stored for 10 years from the termination of the contractual relationship for the legal, fiscal and accounting reasons imposed on the company by law.
Closure clause
The Customer, upon reading this Policy, hereby declares to provide it, without delay, to all employees or relatives that may provide personal data to our company.
4.3 Processing for courtesy purposes relating to Customers and Suppliers
Data that we may process of Customers or Suppliers
Name, surname, email address, telephone no., company name, registered offices (only the necessary data among them).
Legal basis for processing legitimate interest of the Data Controller
Obligatory or voluntary nature of the provision of personal data Customers or Suppliers are not required to provide said personal data. However, the lack of said data will make it impossible for the Data Controller to provide complementary (courtesy) services to loyal Customers and Suppliers. Courtesy services include holiday greeting cards or invitations to special events, etc. The Controller believes that the special relationship held with some Customers and Suppliers is worthy of the legitimate interest of the delivery of communications that have the aforementioned courtesy services as their subject. That does not affect the rights and freedom of the data subject.
Disclosure of personal data
Said data will not be disclosed to third parties. The aforementioned data will be processed exclusively by the employees of DIEMME s.r.l. for the purpose(s) involved in that type of processing.
Disclosure of personal data to extra-EU countries
Personal data will not be transferred to countries outside the EU. Our servers are located in Italy.
Processing methods
Using IT/computer systems (e.g., through the use of computers) and paper-based systems (e.g. printed documents).
Data storage terms
The amount of time personal data is stored depends on the will of the Customer or Supplier who can object to that type of processing by contacting the addresses listed above at any time.
4.4 Processing for the evaluation of third-party CVs
Data that we may process
Candidate data: name, surname, email, telephone no., education, tax ID, etc.
Legal basis for processing
Prior permission granted by the candidate at the end of the CV.
Obligatory or voluntary nature of the provision of personal data
The provision of said data is not required. However, the lack of some personal data will make it impossible for DIEMME s.r.l. to evaluate the proposal coming from the candidate.
Disclosure of personal data
Said data will not be disclosed to third parties. The aforementioned personal data will be processed exclusively by company employees responsible for that type of processing.
Disclosure of personal data to extra-EU countries
Personal data will not be transferred to countries outside the EU. Our servers are located in Italy.
Processing methods
Using IT/computer systems and paper-based systems (e.g. printed documents).
Data storage terms
The storage term depends on whether or not an employment relationship is established. If DIEMME s.r.l. is not interested in the candidate, the candidate’s data will be deleted immediately. However, if the company is interested in the candidate, but not necessarily at that time, DIEMME s.r.l. will store the data for up to 6 months. If the candidate and the company enter into an employment contract, we will save the new employee’s data for 10 years from the termination of the employment relationship for legal reasons.
4.5 Processing for the purposes of sending marketing messages or newsletters for Customers-Suppliers and Third Parties
Data that we may process
Name, surname, email address, telephone no. (among these, only data that is absolutely necessary will be processed).
Legal basis for processing
Specifically in relation to data processing (delivery of advertising / marketing messages or newsletters): the data subject’s consent or legitimate interest of the Controller. In the latter case, especially in regard to certain Customers or Suppliers who, by virtue of already-existing or prior contractual relationships with our company, can expect to receive, from DIEMME s.r.l., messages that are in-line with already-demonstrated preferences or interests. There is also legitimate interest in relation to those who, having been on our mailing list for some time, have shown their appreciation for our messages and updates. That does not affect the rights and freedom of the data subject.
Diemme s.r.l. partners with companies that handle advertising and promotions. Therefore, it is possible that some data relating to potential customers will be provided to Diemme s.r.l. by said companies as permitted by relative promotional contracts. The use of said data will take place pursuant to that which is established in this section, in full accordance with the law.
Obligatory or voluntary nature of the provision of personal data
The release of such data is not required. However, the lack of said data will make it impossible for our company to send marketing communications regarding our products, offers and promotions, event invites, training courses, classes or other activities organized by our company, or newsletters to keep you up to date with interesting news relating to furnishings and furniture. Said communications, which are generic and not customized, will be sent via email, SMS, MMS, fax or post.
Disclosure of personal data
The data used for such processing will be disclosed to employees or responsible parties external to our company who have been authorized and instructed on how to carry out that type of processing. In some cases, in order to perform services on your behalf, the data may be disclosed to third parties assigned to manage email marketing services on our behalf (for more on this, see the following section).
Disclosure of personal data to extra-EU countries
When DIEMME s.r.l. partners with third parties to provide you with marketing services or newsletters, some data may be transferred to countries outside of the EU. This happens when the companies we rely on, or their servers, are based outside the European Union. That should not worry you as, if data are effectively transferred, that may happen only on the basis of a decision of suitability adopted by the European Commission, or with appropriate safeguards established by the new European Regulation (such as the presence of binding laws for the company), or, in the absence of said conditions, with the consent of the data subject, or in the context of a contract between the data subject and the Data Controller, or in the context of a contract between the Controller and a third party to carry out a service benefiting the data subject. For any questions or requests for further information on the transfer of your data to non-EU countries, please contact us at the above addresses.
Processing methods
With IT/computer systems, and rarely with paper-based systems.
Data storage terms
The data storage term for marketing, advertising or newsletters depends on the will of the Customer-Supplier-Third Party, who at any time can revoke his/her consent. In relation to processing based on the legitimate interest of the Controller, the Customer or Supplier involved may object to the processing at any time.
4.6 Processing carried out through the website in relation to users (Contact forms – Newsletters – Cookies)
DIEMME s.r.l. has a website www.diemmeoffice.com through which the data subject’s data is collected by the Controller. For more info on the processing carried out through our website , please see the “Website Privacy Policy” link at the bottom of the website itself.
4.7 Closing statement on data processing in general
DIEMME s.r.l. only processes data that is strictly necessary for the purpose(s) for which the data is being processed. The data you provide will not be disclosed nor transferred to international organizations. All processing takes place at our company’s registered office or at the offices of those responsible for processing as mentioned above. Automated processing, such as profiling, upon which decisions are based that have legal effects or which similarly impact the sphere of natural persons, is not carried out by DIEMME s.r.l. Except for processing carried out for contractual or legal purposes, your data will only be processed with your prior consent. In some cases, and only when processing takes place for the benefit of the data subject as the subject has a legitimate expectation in that sense, the legal basis for processing will be the legitimate interest of our company. Your personal data will not be disclosed to third parties unless it is required by contractual obligations or by law. Our company is committed to not transferring personal data outside the EU. However, should that occur, the transfer of said data will take place with all the guarantees required by law (adequacy decisions, binding corporate laws or contracts, etc.). The data storage term, subject to revocation or objection by the data subject, will correspond to the term of execution of the service.
5. The rights of the Customer – Supplier – Third Party
The data subject, that is, the person who consents to the processing of personal data by the Controller, has the following rights:
- the right to request that the Data Controller grant access to said personal data, that is, to know what data the Controller possesses;
- the right to have the data updated;
- the right to data rectification, that is, the right to have one’s data modified should said data change;
- the right to data integration, that is, the right to integrate the data with other information provided by the data subject;
- the right to restriction of processing that concerns the data subject, that is, limiting the Data Controller’s use of the data;
- the right to object, for legitimate reasons, to processing;
- the right to data portability, that is, the right to receive all of one’s personal data processed by the Controller in a structured, commonly-used and machine-readable format;
- the right to erasure of one’s data by the Controller;
- the transformation into an anonymous form or the blocking of personal data processed illegally, including those whose storage is not required for the purposes they were collected for or subsequently processed;
- the right to obtain certification of the operations of updating, rectification, integration, erasure, blocking and transformation of data, when brought to the attention of those to whom the data has been transferred or disclosed, even in terms of their content, except where this requirement proves to be impossible or involves a manifestly disproportionate use of financial means with respect to the protected right;
- the right to revoke explicitly-given prior consent, at any time, without prejudice to the legality of the processing carried out up to that point;
- the right to lodge a complaint with a data protection supervisory authority should the EU regulation be violated.
For a more detailed examination of your rights, please see articles 15, 16, 17, 18, 20, 21 of Reg. EU 679/2016. Requests can be sent to the Data Controller, without formalities, at the above-listed addresses.
6. Safety measures
The Data Controller is committed to protecting your personal data, adopting all necessary digital and physical security measures. However, no security system can guarantee, with absolute certainty, such protections. Therefore, except for cases of liability where the Data Controller is at fault, DIEMME s.r.l. shall not be held liable for actions carried out by third parties who illegally access work systems and locations without proper authorization. For more information on security and safety measures, please contact the above-indicated addresses.