PRIVACY

EXTENDED INFORMATION PURSUANT TO ARTICLES. 12, 13 AND, WHERE NECESSARY, 14 OF THE GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)

The data controller reports, below, the Information Notice pursuant to Articles 12, 13 and, if necessary, 14 of the GDPR regarding the processing of personal data provided by the Customer / interested party through the completion and signing of the Contract to purchase the products/services offered for sale by the data controller itself, by spontaneously uploading personal data to this website (in particular through the completion of forms) or simply by browsing it.

1. Data controller and contact information
The data controller is FALEGNAMERIA ARTIGIANA PESCE, based in SAN LIBERALE – MARCON (Venice), Viale DON LUIGI STURZO 60/A, C.F. , P.I. 03192330276, tel. +39 041 449169, fax, e-mail fale_luca@libero.it, web www.fapcantierenautico.com (hereinafter the Site).

2. Principles applicable to processing
In accordance with the requirements of the GDPR, the data controller makes constant efforts to ensure that personal data are:

  1. processed in a lawful, fair and transparent manner;
  2. collected for specified, explicit and legitimate purposes, and subsequently processed in a manner that is not incompatible with those purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, if necessary, updated;
  5. kept for a period of time not exceeding the achievement of the purposes for which they are processed;
  6. processed, through appropriate technical and organizational measures, so as to ensure their security;
  7. processed, if by virtue of consent, by a decision freely made by the Client/interested party, on the basis of a request submitted in a manner clearly distinguishable from the rest, in a comprehensible and easily accessible form, using simple and clear language.

The data controller shall take appropriate technical and organizational measures to ensure the protection of personal data by design and to ensure that only the data necessary for each specific processing purpose are processed by default.
The data controller collects and takes into the utmost consideration indications, remarks and opinions of the Client/Subject transmitted to the above contact details, in order to implement a dynamic privacy management system that ensures effective protection of individuals, with regard to the processing of their data.
This Information Notice may be subject to change, in line with the evolution of the reference legislation and the technical and organizational measures gradually adopted by the data controller; the Client/interested party is, therefore, requested to periodically visit this section of the Website, to view the updates and the Information Notice in the text in force from time to time.

3. Methods of processing personal data
The processing of personal data is carried out manually and by electronic means, with logic strictly related to the purposes set out below and, in any case, in such a way as to ensure the security and confidentiality of the data.

4. Purpose of personal data processing

(4a) Purposes for which data processing is necessary
The personal data provided by the Client/interested party are mainly processed for the execution of the Contract and the management of credit and, more generally, of the relationship arising from the Contract itself.
The provision of data in the Contract or later, during the course of the contractual relationship, for the processing purposes in question is obligatory; therefore, the failure, partial or inaccurate provision of such data makes it impossible to enter into and/or execute the Contract and, for the Client/interested party, to take advantage of the products/services offered by the data controller, potentially exposing the Client/interested party to liability for breach of contract.
The personal data provided by the Client/interested party may, also, be processed if this is necessary to fulfill a legal obligation to which the data controller is subject, to safeguard the vital interests of the Client/interested party or another natural person, to perform a task of public interest or related to the exercise of public powers vested in the data controller, or to pursue the legitimate interest of the data controller itself or of third parties, provided that the interests or fundamental rights and freedoms of the Client/interested party do not prevail; even in these cases, the provision of data is obligatory and, therefore, the failure, partial or inaccurate communication of data may expose the Client/interested party to possible responsibilities and sanctions provided for by the Legal System.

 

(4b) Additional purposes of processing following specific and express consent of the Client/concerned party
In addition to the aforementioned processing purposes, the personal data provided/acquired may be processed, subject to the consent of the Client/concerned party, to be expressed by checking the box <<Consent>> on the Contract or on the Site (or using other social or web applications of the data controller), also for the purpose of conducting market surveys and to carry out commercial and promotional communications, by telephone (also using the cell phone number provided) and automated contact systems (e-mail, sms, mms, fax, etc.), on products/services of the data controller or of companies in the Group to which the data controller may belong.
Consent for the purposes of processing referred to in this point (4b) is optional; therefore, following any refusal, the data will be processed only for the purposes indicated in point (4a) above, except as specified below with reference to the legitimate interests of the data controller or third parties.

5. Categories of personal data processed
The data controller mainly processes identification/contact data (first name, last name, addresses, type and number of identification documents, telephone numbers, e-mail addresses, of a fiscal/billing nature, except others) and, if commercial transactions are envisaged, financial data (of a banking nature, in particular current account identifiers, credit card numbers, except others related to the aforementioned commercial transactions).
The processing that the data controller carries out, both for the execution of the Contract and by virtue of the express consent of the Client/interested party, does not generally concern special categories of personal data, known as sensitive data (revealing racial or ethnic origin, political opinions, religious beliefs, state of health or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (relating to criminal convictions and offenses).
However, it cannot be ruled out that the data controller, in order to perform the obligations arising from the Contract, must retain and/or has the need to process sensitive, genetic and biometric or judicial data, of the Client/interested party or of third parties, which the Client/interested party has in its capacity as data controller; in this hypothesis, the processing by the data controller takes place by virtue of, under the conditions and within the limits set forth in the appointment of the same data controller as data processor, by the Client/interested party.
The data controller also processes, as the data controller with reference to the Site, and, potentially, as the data processor appointed for this purpose (under the terms set out above) by the Client/Interested Person, so-called browsing data. The computer systems and software procedures responsible for the operation of the Internet sites acquire, in the course of their normal operation, some personal data, the transmission of which is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated with identified individuals, but by its very nature, it could allow the identification of the data subject. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and addresses of websites from which access or exit was made, information on pages visited by users within the site, access time, stay on individual page, internal path analysis and other parameters related to the user’s operating system and computer environment. It is, therefore, information that, by its very nature, allows, through processing and association also with data held by third parties, to identify users.
On the Site may, then, be made use of cookies, both session (which are not stored on the computer of the interested party and vanish when the browser is closed) and persistent, for the transmission of information of a personal nature, or in any case of systems for tracking interested parties.

6. Source of personal data

The personal data that the data controller processes are collected directly by the data controller from the Customer/ data subject at the time of, and during, the Customer’s browsing of the Site (or by using other social or web applications of the data controller), or, including by means of its own salespeople, at the time of, or subsequent to, the signing of the Contract, during the execution of the Contract, or from public sources.
As specified above, the data controller, as the data processor appointed for this purpose, in order to perform the obligations arising from the Contract, may store and/or process data, in particular navigation data, potentially also sensitive, genetic and biometric or judicial data, of third parties, which the Client/interested party has in its capacity as data controller, acquired, with the consent of said third parties, at the time of, and during, the navigation of said third parties on the Site (or using other social or web applications referable to the data controller).

7. Legitimate interests

The legitimate interests of the data controller or third parties may constitute a valid legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject are not overridden. In general, such legitimate interests may exist when there is a relevant and appropriate relationship between data controller and data subject, such as when the data subject is a customer of the data controller. It constitutes, in particular, the legitimate interest of the data controller to process personal data of the Client/patient: for fraud prevention purposes, for direct marketing purposes, to ensure the free movement of the same data within the Business Group to which the data controller may belong, i.e., related to traffic, in order to ensure network and information security, i.e., the ability of a network or system to withstand unforeseen events or unlawful acts that may compromise the availability, authenticity, integrity and confidentiality of data.

8. Circulation of personal data

(8a) Disclosure of personal data – categories of recipients.
In addition to employees and collaborators in various capacities of the data controller (who are by the data controller itself authorized to the processing by virtue of appropriate written operating instructions, in order to be able to ensure the confidentiality and security of the data), some processing operations may also be carried out by third parties, to whom the data controller entrusts certain activities, or part of them, functional to the purposes referred to in point (4a), therefore, both in performance of contractual and legal obligations, among which deserve mention, however, inevitably, not exhaustive commercial and/or technical partners; companies that provide banking and financial services; companies that carry out document archiving services; debt collection companies; auditing and balance sheet certification companies; rating companies; subjects that carry out, in favor of the data controller, professional assistance and consulting activities; companies that carry out customer care activities; factoring, credit securitization or otherwise assignee companies; companies in the Group to which the data controller may belong; subjects that provide commercial information; computer service companies. The subjects belonging to the aforementioned categories process the personal data themselves as autonomous data controllers, or as data processors, with reference to specific processing operations that are part of the contractual services that the subjects themselves perform for/on behalf of the data controller; to the data processors the data controller issues appropriate written operating instructions, with particular reference to the adoption of minimum security measures, in order to be able to guarantee the confidentiality and security of the data.
Some processing operations may be carried out by third parties, to whom the data controller entrusts certain activities, or part of them, also functionally to the purposes referred to in point (4b), among which deserve mention, however, inevitably, not exhaustive: commercial and/or technical partners; companies that institutionally provide marketing services; advertising agencies; subjects that provide assistance and consulting activities with reference to contests and prize operations. Subjects belonging to the aforementioned categories process personal data as autonomous data controllers, i.e. as data processors, with reference to specific processing operations that are part of the contractual services that the subjects themselves perform for/on behalf of the data controller; to the data controllers the data controller issues appropriate written operating instructions, with particular reference to the adoption of minimum security measures, in order to be able to guarantee the confidentiality and security of the data.
A list, subject to periodic updating, of the data controllers with whom the data controller has relations is available upon written request to be sent to the data controller’s office.
Personal data may, in addition, be communicated, if requested, to the competent authorities, in fulfillment of obligations arising from mandatory legal regulations.

 


(8b) Transfer of personal data to third countries.

The personal data of the Client/concerned party may also be transferred abroad, either to countries within the European Union or to countries outside the European Union and, in the latter case, either on the basis of an adequacy decision, or within the scope and with the appropriate safeguards provided for by the GDPR (thus, in particular, in the presence of standard data protection contractual clauses approved by the European Commission), or, outside the assumptions mentioned above by recurrence of one or more of the exceptions provided for in the GDPR (in particular, by virtue of the explicit consent of the Client/Subject, or for the performance of the Contract concluded by the Client/Subject, or for the performance of a contract entered into between the data controller and another natural or legal person for the benefit of the Client/Subject, in particular for the performance of activities entrusted to it by the data controller for the performance of the Contract concluded with the Client/Subject). For the hypothesis of data transfers to countries outside the European Union, the Client/Interested Party is allowed, upon written request to be sent to the headquarters of the data controller, to know the adequate guarantees, i.e. exceptions, that legitimize cross-border processing. It is understood, in case of data transfer to countries outside the European Union, that for any request inherent to the data, including for the exercise of the rights recognized by the GDPR to the Client/Interested Party, the latter may always validly apply to the data controller.


9. Criteria for determining the retention period of personal data

For the purposes referred to in (4a) above, the period of retention of personal data released by the Client/concerned party, and their consequent potential processing, coincides with the period of prescription of the rights/duties (legal, tax, etc.) arising from the Contract: tendentially 10 years, therefore, unless the occurrence of interruptive events of the prescription that could prolong, in fact, said period.
For the purposes referred to in (4b) above, the period of retention of the data released by the Client/Precipient, and the consequent potential processing thereof, ends with the revocation of the consent previously given by the Client/Precipient or, failing that, in any case one year after the termination of any relationship between the data controller and the Client/Precipient.

10. Rights of the client/interested party
The data controller recognizes – and facilitates the exercise, by the Client/interested party, of – all the rights provided for by the GDPR, in particular the right to request access to his or her personal data and to extract a copy thereof (Art. 15 GDPR), to rectification (Art. 16 GDPR) and deletion of the same (Art. 17 GDPR), to limitation of the processing that concerns him or her (Art. 18 GDPR), to the portability of data (art. 20 GDPR, if the conditions are met) and to object to the processing that concerns him or her (art. 21 and 22 GDPR, for the hypotheses mentioned therein and, in particular, to processing for marketing purposes or that results in automated decision-making, including profiling, that produces legal effects concerning him or her, if the conditions are met).
The data controller also recognizes, where the processing is based on consent, the right of the Client/Party to revoke that consent at any time, without affecting the lawfulness of the processing based on the consent given prior to revocation. To do so, the Client/interested party can unsubscribe at any time on the Site (or on other social or web applications of the data controller) or by using the appropriate link at the bottom of each commercial communication received, or by contacting the data controller at the contact details above.

In addition, the data controller informs the Client/Interested Party of the right to lodge a complaint with the Italian Data Protection Authority, as the supervisory authority operating in Italy, and to file a judicial appeal, both against a decision of the Data Protection Authority and against the data controller itself and/or a data processor.

11. Security of systems and personal data
Taking into account the state of the art and the cost of implementation, as well as the nature, subject matter, context and purposes of the processing, as well as the risk, in terms of probability and severity, to the rights and freedoms of natural persons, the controller shall take technical and organizational measures deemed appropriate to ensure a level of security appropriate to the risk, in particular by ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of the processing systems and services (including through the encryption of personal data, where necessary) and the ability to restore data availability in a timely manner in the event of a physical or technical incident, and by adopting internal procedures directed at regularly testing, verifying and evaluating the effectiveness of the technical and organizational measures employed.
In assessing the appropriate level of security, account shall be taken of the risks presented by the processing that result, in particular, from the destruction, loss, alteration, unauthorized disclosure of or access, whether accidental or unlawful, to personal data transmitted, stored or otherwise processed.
The data controller shall ensure that any person acting under its authority and having access to personal data shall not process such data unless instructed to do so by the same data controller.
That being said, the Client/Party acknowledges and accepts that no security system guarantees, in terms of certainty, absolute protection; therefore, the data controller is not liable for the acts or deeds of third parties who abusively, despite the adequate precautions taken, should access the systems without due authorization.

12. Automated decision-making processes, including profiling
The Data Controller may carry out automated processing, including profiling, in relation to the purposes set out in (4b) above, to optimize the navigability of the Site (or the usability of other social or web applications of the Data Controller) and to improve the shopping experience, subject to the above with regard to the Customer’s/ Data Subject’s rights to object and withdraw consent.
Profiling means any form of automated processing of personal data aimed at assessing certain aspects relating to a natural person, in particular to analyze or predict aspects concerning, for example, that person’s personal preferences, interests, or location, including for the purpose of creating profiles, i.e., homogeneous groups of individuals by characteristics, interests, or behavior.
The data controller does not carry out any automated processing that produces legal effects concerning the Client/Party or that significantly affects him/her in a similar way, unless this is necessary for the conclusion or execution of the Contract, is authorized by law or is based on the explicit consent of the Client/Party, in any case always recognizing the Client/Party’s right to obtain human intervention, to express his/her opinion and to contest the decision.