Data processing involves any operation or group of operations, performed also without the aid of automated means, as per art. 4 of EU Regulation 2016/679 (hereafter GDPR).
This document describes the purposes for which the Data Controller collects and processes personal data, how they are processed, which categories of data are processed, the data subject’s rights and how they can be exercised.
- What types of personal data do we process?
In normal circumstances, the automated systems and software procedures used on this Website acquire certain personal data, the transmission of which is implicit in internet communications protocols.
It is information not collected to be associated to identified subjects, but which, due to its nature, could make it possible to identify users, through processing and association to data held by third parties.
This category of data includes IP addresses or dominion names of users’ computers when they connect to the Website, URI addresses for the required resources, the time of the enquiry, the method used to submit the enquiry to the server, the dimensions of the file received in reply, the numerical code indicating the status of the reply provided by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s program.
Data provided voluntarily by the user
Subject to the above concerning navigation data, Riflessi will acquire personal data that may be sent by the data subject through the special forms on the Website, the Data Controller’s contact details or the institutional social media profiles/pages to follow up enquiries or register for a Newsletter. Furthermore, Riflessi will acquire personal and contact details and all the data included in any CVs it receives.
The Data Controller will not use the Website to acquire data that is sensitive or belongs to a special category, as per art. 9 of the Regulation, or data referring to criminal offences or criminal penalties.
Information concerning the processing of personal data through social media platforms
With regard to the processing of personal data by managers of the social media platforms used by the Data Controller, see the information given in their respective privacy policies. The Data Controller processes personal data provided by the data subject through social media platform pages dedicated to running interactions with users (comments, public posts, private messages, etc.), observing current regulations.
- Scope and legal basis of processing
a) To follow up on your enquiries
Data provided voluntarily by you will be processed by the Data Controller in order to follow up on enquiries, and for no other reason. Provision of such data is therefore necessary to obtain the service required and the legal basis of the processing is art. 6.1 (b) of the GDPR (performance of a contract).
Data provided to register for a Newsletter may be used to inform you of promotions, news or Riflessi initiatives in its own trade.
Data given on a CV will be processed for the purpose of selecting personnel.
Your data will be processed to ensure proper functioning of the Website and its contents. In such case, the legal basis for data processing is the Data Controller’s legitimate interests (art. 6.1 (f)).
b) To fulfil legal obligations
The legal basis for data processing in order to fulfil legal obligations is art. 6.1 (c) (legal obligation).
c) To send commercial information
Your personal and contact data, such as name, surname, postal address, email address, landline and mobile telephone numbers, may be used to contact you by telephone or to send commercial information to your home or email inbox or by SMS, including by automated means.
Consent to processing, pursuant to art. 6 (a), is optional and refusal will prevent you from receiving commercial information.
d) To perform profiling in order to formulate customised offers
Pursuant to your giving express, specific consent, the personal data provided, such as vital records, residence and contact details, and type of products purchased or of interest, can be used to formulate customised offers and commercial initiatives in line with your interests and preferences.
Consent for profiling, based on art. 6 (a), is optional and failure to provide it will have no other consequence than to prevent the company from informing you by telephone, SMS, email or surface post of special offers, discounts and customised commercial initiatives.
- Subjects to whom personal data may be communicated
Personal data provided will not be disseminated and may be communicated, for the same purposes, to subjects that:
- operate as subjects authorised by the Data Controller to process data for the aims described above. For this purpose Riflessi S.r.l. guarantees that in-house personnel are duly trained to recognise the importance of protecting personal data and that the instruments used every time are secure;
- operate as independent Data Processors, whenever required by law (e.g. public administrations in performing their institutional functions; lawyers providing legal assistance in any controversies, banking institutes and insurance companies);
- operate as outsourced Data Processors, i.e. subjects authorised by contract who operate in the name and on behalf of Riflessi S.r.l. to carry out the aims described (e.g. companies providing accounting and administrative services and companies appointed by Riflessi S.r.l. to manage its activities).
These companies, authorities and organisations will receive only personal data necessary to perform the contractual services or fulfil legal obligations, and will not be authorised to use them for any other aim whatsoever.
On demand, at any time, the Data Controller will provide a list of the Data Processors involved. Requests should be made to Riflessi srl – Contrada Cucullo – Zona Industriale, 66026 Ortona (CH), e-mail: email@example.com.
If for the purposes described above it is necessary to transfer personal data to a third country, transfer will take place in observance of the law.
- Duration of processing and storage period
Your data will be held for a period strictly necessary to respond to your enquiries and in any case for no longer than 12 months. Data acquired for our ‘News’ and ‘Atelier’ services will be held until your consent is withdrawn by writing to firstname.lastname@example.org. Data contained in CVs sent spontaneously will be used for the sole purpose of assessing applicants and if not selected will be erased within 12 months. In the event of successful assessment, the data will be held for the duration of the employment relationship.
- Data subject’s rights
Pursuant to art. 15 ff of the GDPR, we hereby inform you that you have the right to:
- obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed, and where that is the case, access to such data. You have the right to know the source of the data, check its accuracy and have it updated, rectified, integrated, erased, or to restrict processing or object to such processing;
- with regard to data processed by automated means, to require their transfer to other data controllers (data portability);
- request and obtain modification and/or rectification of any inaccurate or incomplete personal data;
- request and obtain blocking, anonymization, erasure and/or restriction of processing of your personal data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed.
Requests of this type can be addressed to the Data Controller at: email@example.com.
Please also be informed that you have the right to object to the processing of your personal data by lodging a complaint with the supervisory authority (Garante in Italy).
- Data Controller and contact
The Data Controller is Riflessi srl, registered office in Contrada Cucullo – Zona Industriale, 66026 Ortona (CH) – Italy – P.IVA 01536130691- e-mail firstname.lastname@example.org
If the amendments involve new or further processing that requires the consent of the data subject, and in any case where provided for in current legislation, your personal data will not be further processed without your explicit consent.