Information for the sales network, retailers, installers and technical partners
The companies URMET SpA, Urmet ATE Srl, GLT Srl are part of a group of companies in the same shareholding structure, which provide complementary products and services that are often integrated.
Within this Group of companies, URMET SpA provides various types of services to other companies in the HR, ICT, marketing and commercial fields.
Since the aforesaid companies have the same network of retailers and installers of intercom, video intercom, videorecording, alarm systems, home automation and automation products, and the same technical partners that promote, advise, recommend, install and carry out maintenance, repair and replacement work on our products, they operate as Joint Data Controllers and have signed a specific agreement, pursuant to Article 26 GDPR, concerning processing that pursues the following commercial and technical objectives:
provision of support services to retailers and installers;
management of commercial relationships with retailers and installers;
sending of useful information and technical and regulatory updates;
proposals for professional development and support initiatives;
reminders or notifications of deadlines and obligations;
invitations to seminars, meetings, gatherings;
sending of catalogues and other product presentation material;
sending of technical, informative and updating documentary material;
admission to technical services and added value;
information on technical updating and professional training initiatives;
admission to seminars, courses, professional development sessions;
proposal of new products and services;
preparation of procedures for participation in calls for tenders, competitions, etc.;
conducting fact-finding surveys in aggregate form.
Therefore, if you are a retailer or installer and you are in contact with any of the Joint Controllers indicated above, you may be asked for some personal data. For this reason we provide you with the following information:
Identity of the Joint Controllers
Urmet SpA , in the person of its pro tempore legal representative, with registered office in Via Bologna 188/C – Turin;
Urmet ATE Srl
, in the person of its pro tempore legal representative, with registered office in Via Pola, 30
36040 Torri di Quartesolo – Vicenza
GLT Srl , in the person of its pro tempore legal representative, with registered office in Via Bologna, 152, 10154 Turin TO
Data Protection Officer (“DPO”)
To ask questions about this privacy policy or about how the data are managed, contact the Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data processed
a) The Joint Controllers collect personal data provided on a voluntary basis by the user when registering on the website of any of the Joint Controllers or when carrying out a transaction through the website, in addition to other personal data associated with order processing. These personal data include: Title, name and surname, company name, VAT number (if applicable), email address, username and password, shipping and billing address (including postcode, city and country), telephone and fax number, type and quantity of products ordered, order date, order fulfilment status, delivery date and time, order value, currency, payment information, return requests or offers for the user and the following information voluntarily provided by the user: how they found out about the website, company details, number of employees and, for business customers, the date the company was founded (collectively, "Transaction Data").
b) The Joint Controllers also collect data on the user’s use of the website, such as IP address and the products viewed; whether the user visits the website through a referral page or a link in a promotional email or advertisement on another website that redirects to the website of a Joint Controller. The Joint Controllers may also collect information on the referral page and the promotional email or targeted advertisement, along with the user's IP address to analyse the effectiveness of marketing operations (collectively, "usage data").
Purpose of the processing
Personal data are processed for the following purposes:
1) Transaction data will be used to process orders, handle payments, communicate with the user about the order, handle product returns and customer service requests, and to fulfil product pickups. They will also be used to acquire pre-contractual data and information; exchange information aimed at executing the contractual relationship, including pre- and post-contractual activities; formulate requests or process requests received;
2) to manage accounting and tax compliance;
3) Transaction data will also be used to send personalised messages or invitations to review products; in the case of registered customers, usage data will be used together with transaction data (except for payment information) to show personalised products on the website based on the interests expressed by the user. If the user requests marketing communications and the newsletter to be sent, their transaction data and website usage data will be analysed by the Joint Controllers in order to send personalised commercial communications based on the preferences indicated.
4) Finally, the data will be used to manage and control risks, prevent possible fraud, insolvency or default; prevent and manage possible disputes, and to take legal action if necessary.
Legal basis for the processing
Processing is carried out on the following legal bases:
performance of a contract to which the data subject is a party or the execution of pre-contractual measures adopted at its request, with regard to the processing listed in point 1;
fulfilment of administrative, fiscal and civil obligations to which the Joint Controllers are subject (purpose 2);
at the data subject’s express consent, with regard to the processing listed in point 3;
pursuit of the Joint Controllers’ legitimate interest (protection and prevention of fraud and insolvency), with regard to the processing listed in point 4.
Data retention
The Joint Data Controllers will retain and process personal data for the time necessary to fulfil the indicated purposes.
In any case, data relating to transactions having administrative relevance will be retained for 10 years.
Data recipients
The personal data processed will not be disclosed, that is, they will not be made known to unspecified parties, in any possible form, including making them available or simply consulting them.
employees of the Joint Controllers, on the basis of the roles and work duties performed, who are authorised and trained to carry out processing operations;
expressly authorised internal and external consultants operating under the authority of the Joint Data Controllers;
external parties (service providers) designated as Data Processors : e.g. professionals or companies providing accounting and tax consultancy and assistance services, hosting service providers, marketing service providers, website completion, IT maintenance service providers, shipping service providers.
If the data subject requests marketing communications and the newsletter of one of the Joint Controllers to be sent, their name, email address and other transaction and usage data will be shared to allow an analysis of their interests and to send personalised commercial communications based on the preferences indicated.
Transaction data are shared to enable the management of any product recalls and so that the Joint Controllers can contact the user in this event .
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation.
The full, updated list of recipients is available upon request at the headquarters of the Joint Controllers.
Nature of data provision
The provision of data is mandatory for contractual, administrative and fiscal purposes. Additional data (telephone number, email address, etc.) are essential for managing the organisational aspects. For this reason, their partial or incomplete disclosure could compromise the effective management of the relationship.
Providing consent for marketing purposes is optional and does not affect the establishment and normal continuation of the commercial relationship.
Data transfer
Under no circumstances will the Joint Data Controllers transfer personal data to third countries or to international organisations. However, they reserve the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR 2016/679.
Rights of the data subject
The data subject may exercise the rights provided for by GDPR 2016/679 at any time, including:
- access to their personal data and all other information referred to in Article 15;
- rectification of inaccurate data and/or completion of incomplete data (Article 16);
- erasure of data (data cannot be erased if it is obligatory for the information to be kept or if the Data Controller’s legitimate interest to continue the processing prevails over that of the data subject) (Article 17);
- restriction of processing in the cases indicated in Article 18;
- the right to receive personal data in a structured, machine-readable format and to transfer it to another Data Controller (Article 20);
- the right to object to the processing of data under the conditions set out in Article 21.
Furthermore, the data subject may at any time withdraw any consent that may have been given for the purpose referred to in point 3.
The data subject may exercise the aforementioned rights by writing to the Data Controller at Urmet SPA, or by calling : 0112400000, providing any identification details proving the legitimacy of the request.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Information for those who register in the reserved area
This information is provided, pursuant to Article 13 GDPR 2016/679 – “European Regulation on the protection of personal data”, to the commercial network (installers, wholesalers) who register in the reserved area on the website
Data Controller
The Data Controller is Urmet SpA , in the person of its pro tempore legal representative, with registered office in via Bologna 188/C – 10154 Turin (TO), tel: 0112400000.
Data Protection Officer (“DPO”)
To ask questions about this privacy policy or about how the data are managed, contact the Data Controller's Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data
Personal data are those provided spontaneously by the user by filling in the registration form on the website.
Purpose of the processing
Personal data are processed to create an account, manage access to the area and allow the user to use the services associated with the registration. If the user decides to subscribe to the newsletter during registration, their email address will be used to send promotional communications on the company's products and services.
Legal basis for the processing
Processing is carried out for the performance of a service at the data subject’s request (Article 6(b) GDPR), for management of the account, express consent (Article 6(b) GDPR) and to send the newsletter.
Data retention
The data will be kept until the user makes a request to cancel the account.
Data recipients
The personal data processed by the Data Controller will not be disclosed, that is, they will not be made known to unspecified parties, in any possible form, including making them available or simply consulting them.
The data may be disclosed to:
the Data Controller's employees, on the basis of the roles and work duties performed, who are authorised and trained to carry out processing operations;
expressly authorised internal and external consultants operating under the authority of the Data Controller;
external parties (service providers) designated as Data Processors: e.g. suppliers of IT services for assistance and maintenance of the website, hosting providers.
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation. These entities act as independent Data Controllers.
The full, updated list of recipients is available upon request at the Data Controller's headquarters.
Nature of data provision
The provision of data is optional. However, the data marked with (*) are essential to create an account. Therefore, any refusal to provide such data will make registration impossible. Subscribing to the newsletter service is optional.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries or to international organisations. However, the Data Controller reserves the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR 2016/679.
Rights of the data subject
The data subject may exercise the rights provided for by GDPR 2016/679 at any time, including:
- access to their personal data and all other information referred to in Article 15;
- rectification of inaccurate data and/or completion of incomplete data (Article 16);
- erasure of data (data cannot be erased if it is obligatory for the information to be kept or if the Data Controller’s legitimate interest to continue the processing prevails over that of the data subject) (Article 17);
- restriction of processing in the cases indicated in Article 18;
- the right to receive personal data in a structured, machine-readable format and to transfer it to another Data Controller (Article 20);
- the right to object to the processing of data under the conditions set out in Article 21.
The data subject may exercise the aforementioned rights by contacting the Data Controller using the contact details given above, or by going to the above address, providing any identification details proving the legitimacy of the request.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Information for users of cloud services
Urmet SpA produces, distributes and manages its own and third-party apps on its cloud platforms. Therefore, Urmet SpA can process the data of app users both as Data Controller (own apps) and as Data Processor designated by third-party Data Controllers producing apps. In both cases the cloud service is provided by Urmet SpA
This information is therefore provided pursuant to Articles 12, 13 and 14 GDPR 679/16 – “European Regulation on the protection of personal data” to all those who use the apps distributed by clients but managed and maintained by Urmet SpA acting as Data Controller .
Data Controller
The Data Controller is Urmet SpA , in the person of its pro tempore legal representative, with registered office in via Bologna 188/C – 10154 Turin (TO), tel: 0112400000.
Data Protection Officer (“DPO”)
To ask questions about this privacy policy or about how the data are managed, contact the Data Controller's Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data
The personal data processed are those knowingly and freely provided by users when they register for cloud services (name, user ID and password, email, mobile phone number, physical address, etc.), as well as those generated by the use of the cloud services (geolocation data, conversations, promotions, user/device pairings, video recordings, etc.).
Purpose of the processing
Users' personal data are processed in order to:
1) allow the registration and subsequent use of cloud services
2) geolocate the users in order to provide the requested services
3) provide services and chats
4) manage user/device pairings
5) record images and videos
6) improve the experience of using the services
7) provide technical assistance
8) allow users to take advantage of promotions
9) generate aggregate statistical data regarding users' device usage preferences
10) manage and maintain cloud platforms
11) optimise processing resources and data access.
Legal basis for the processing
Processing is carried out on the following legal bases:
performance of the contract to which the user is a party (Article 6(b) GDPR), purposes 1, 3, 4, 6, 7, 10 and 11
express consent (Article 6(a) GDPR) with methods specific to the device used by the user for purposes 2 and 5; further consent is requested and given by ticking the check box for the purpose referred to in point 8
the Data Controller's legitimate interest for purposes 9 and 6 (to perform customer satisfaction analyses to improve the quality of services)
Data retention
The data provided at the time of registration are retained for 2 years following deletion by the user. Geolocation data are deleted each time the cloud services are closed.
Data recipients
The personal data processed by the Data Controller will not be disclosed, that is, they will not be made known to unspecified parties, in any possible form, including making them available or simply consulting them.
The data may be disclosed to:
the Data Controller's employees, on the basis of the roles and work duties performed, who are authorised and trained to carry out processing operations;
expressly authorised internal and external consultants operating under the authority of the Data Controller;
external parties (service providers) designated as Data Processors: e.g. professionals or companies providing technical assistance services and hosting services.
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation. These entities act as independent Data Controllers.
The full, updated list of recipients is available upon request at the Data Controller's headquarters.
Nature of data provision
The provision of data is optional. Provision of the personal data requested at the time of registration is essential to access and use cloud services. Therefore, any refusal to provide such data will not allow the use of cloud services and the registration process will be interrupted.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries or to international organisations. However, the Data Controller reserves the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR 2016/679.
Rights of the data subject
The data subject may exercise the rights provided for by GDPR 2016/679 at any time, including:
- access to their personal data and all other information referred to in Article 15;
- rectification of inaccurate data and/or completion of incomplete data (Article 16);
- erasure of data (data cannot be erased if it is obligatory for the information to be kept or if the Data Controller’s legitimate interest to continue the processing prevails over that of the data subject) (Article 17);
- restriction of processing in the cases indicated in Article 18;
- the right to receive personal data in a structured, machine-readable format and to transfer it to another Data Controller (Article 20);
- the right to object to the processing of data under the conditions set out in Article 21.
With reference to Article 7 of GDPR 679/16, the data subject may withdraw any consent given at any time. Denying consent to geolocation will limit the functionality offered by cloud services. Withdrawing other consents will cause the immediate termination of the processing subject to withdrawal.
The data subject may exercise the aforementioned rights by contacting the Data Controller using the contact details given above, or by going to the above address, providing any identification details proving the legitimacy of the request.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Information for app users
This information is provided pursuant to Articles 12, 13 and 14 GDPR 679/16 – “European Regulation on the protection of personal data” to all those who use the apps distributed directly or through third-party websites and platforms.
Data Controller
The Data Controller is Urmet SpA , in the person of its pro tempore legal representative, with registered office in via Bologna 188/C – 10154 Turin (TO), tel: 0112400000.
Data Protection Officer (“DPO”)
To ask questions about this privacy policy or about how the data are managed, contact the Data Controller's Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data
The personal data processed are those knowingly and freely provided by users when they register on the app (name, user ID and password, email, mobile phone number, physical address, etc.), as well as those generated by the use of the app (geolocation data, conversations, promotions, user/device pairings, video recordings, etc.).
Purpose of the processing
Users' personal data are processed in order to:
1) allow registration and subsequent use of the app
2) geolocate the users in order to provide the requested services
3) provide services and chats
4) manage user/device pairings
5) record images and videos
6) provide technical assistance
7) allow users to take advantage of promotions
8) generate aggregate statistical data regarding users' device usage preferences in order to improve the experience of using the services
9) manage and maintain cloud platforms
10) optimise processing resources and data access.
Legal basis for the processing
Processing is carried out on the following legal bases:
performance of the contract to which the user is a party (Article 6(b) GDPR), purposes 1, 3, 4, 6, 9 and 10
Express consent (Article 6(a) GDPR) with methods specific to the device used by the user for purposes 2 and 5; further consent is requested and given by ticking the check box for the purpose referred to in point 7
the Data Controller's legitimate interest for purpose 8 (to perform customer satisfaction analyses to improve the quality of services)
Data retention
The data provided at the time of registration are retained for 2 years following deletion by the user. Location data are erased each time the app is closed.
Data recipients
The personal data processed by the Data Controller will not be disclosed, that is, they will not be made known to unspecified parties, in any possible form, including making them available or simply consulting them.
The data may be disclosed to:
the Data Controller's employees, on the basis of the roles and work duties performed, who are authorised and trained to carry out processing operations;
expressly authorised internal and external consultants operating under the authority of the Data Controller;
external parties (service providers) designated as Data Processors: e.g. professionals or companies providing technical assistance and security services, and hosting services.
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation. These entities act as independent Data Controllers.
The full, updated list of recipients is available upon request at the Data Controller's headquarters.
Nature of data provision
The provision of data is optional. Provision of the personal data requested at the time of registration is essential to access and use cloud services. Therefore, any refusal to provide such data will not allow the use of cloud services and the registration process will be interrupted.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries or to international organisations. However, the Data Controller reserves the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR 2016/679.
Rights of the data subject
The data subject may exercise the rights provided for by GDPR 2016/679 at any time, including:
- access to their personal data and all other information referred to in Article 15;
- rectification of inaccurate data and/or completion of incomplete data (Article 16);
- erasure of data (data cannot be erased if it is obligatory for the information to be kept or if the Data Controller’s legitimate interest to continue the processing prevails over that of the data subject) (Article 17);
- restriction of processing in the cases indicated in Article 18;
- the right to receive personal data in a structured, machine-readable format and to transfer it to another Data Controller (Article 20);
- the right to object to the processing of data under the conditions set out in Article 21.
With reference to Article 7 of GDPR 679/16, the data subject may withdraw any consent given at any time. Denying consent to geolocation will limit the functionality offered by cloud services. Withdrawing other consents will cause the immediate termination of the processing subject to withdrawal.
The data subject may exercise the aforementioned rights by writing to the Data Controller at the above addresses, or by going to the office indicated, providing any identification details proving the legitimacy of the request.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Information for those calling the Contact Centre
This information is provided, pursuant to Article 13 GDPR 2016/679 – “European Regulation on the protection of personal data”, to anyone contacting the Contact Centre.
Data Controller
The Data Controller is Urmet SpA , in the person of its pro tempore legal representative, with registered office in via Bologna 188/C – 10154 Turin (TO), tel: 0112400000.
Data Protection Officer (“DPO”)
To ask questions about this privacy policy or about how the data are managed, contact the Data Controller's Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data
Personal data are those provided spontaneously by the data subject during the telephone call.
Purpose of the processing
Personal data are processed to process requests made by users by telephone in order to obtain maintenance and assistance services on plants, systems and connections; installation and programming services, delivery of products and equipment; reporting of faults, requests for information of various kinds.
In order to improve the quality of the main Customer Service processes and to direct the training of the relevant personnel more effectively, at the end of the telephone call users are asked to participate freely and anonymously in a survey to give their opinion on the telephone service and the quality of the technical assistance received.
Legal basis for the processing
The processing is carried out for the performance of a contract to which the data subject is a party or for the execution of pre-contractual measures adopted at its request (Article 6.1(b) GDPR); on the basis of the Data Controller's legitimate interest (Article 6.1(f) GDPR) with regard to the conduct of the customer satisfaction survey.
Data retention
The Data Controller will retain and process personal data for the time necessary to fulfil the indicated purposes. The acquired data (e.g. content of phone calls, customer ID, etc.) are kept for 30 days and then automatically erased.
Data recipients
The personal data processed by the Data Controller will not be disclosed, that is, they will not be made known to unspecified parties, in any possible form, including making them available or simply consulting them.
The data may be disclosed to:
the Data Controller's employees, on the basis of the roles and work duties performed, who are authorised and trained to carry out processing operations;
expressly authorised internal consultants operating under the authority of the Data Controller.
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation. These entities act as independent Data Controllers.
The full, updated list of recipients is available upon request at the Data Controller's headquarters.
Nature of data provision
The data subject may refuse to provide the Data Controller with their data. However, failure to provide such information may compromise or make it impossible to respond to or process requests.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries or to international organisations. However, the Data Controller reserves the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR 2016/679.
Rights of the data subject
The data subject may exercise the rights provided for by GDPR 2016/679 at any time, including:
- access to their personal data and all other information referred to in Article 15;
- rectification of inaccurate data and/or completion of incomplete data (Article 16);
- erasure of data (data cannot be erased if it is obligatory for the information to be kept or if the Data Controller’s legitimate interest to continue the processing prevails over that of the data subject) (Article 17);
- restriction of processing in the cases indicated in Article 18;
- the right to receive personal data in a structured, machine-readable format and to transfer it to another Data Controller (Article 20).
In particular, the data subject may object to the processing of data (Article 21) with regard to participation in the survey, by not continuing with the telephone call.
The data subject may exercise the aforementioned rights by contacting the Data Controller using the contact details given above, providing any identification details proving the legitimacy of the request.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Newsletter information
This information is provided, pursuant to Article 13 GDPR 2016/679 – “European Regulation on the protection of personal data”, to anyone subscribing to the newsletter.
Data Controller
The Data Controller is Urmet SpA , in the person of its pro tempore legal representative, with registered office in via Bologna 188/C – 10154 Turin (TO), tel: 0112400000.
Data Protection Officer (“DPO”)
To ask questions about this privacy policy or about how the data are managed, contact the Data Controller's Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data
The personal data (name, surname, email address) are provided spontaneously by the data subject upon subscription.
Purpose of the processing
Personal data are processed to manage the subscription to the mailing list and to send the newsletter.
Legal basis for the processing
The legal basis is the data subject’s consent given by an unequivocal positive action, i.e. spontaneous registration.
Data retention
The Data Controller will retain and process personal data for the time necessary to fulfil the indicated purposes. In this case, the data are retained until the data subject unsubscribes from the mailing list or while the email addresses remain active.
Data recipients
The personal data processed by the Data Controller will not be disclosed, that is, they will not be made known to unspecified parties, in any possible form, including making them available or simply consulting them.
The data may be disclosed to:
the Data Controller's employees, on the basis of the roles and work duties performed, who are authorised and trained to carry out processing operations;
expressly authorised internal and external consultants operating under the authority of the Data Controller;
external parties (service providers) designated as Data Controllers: mailing system manager, information and telecommunication system provider.
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation. These entities act as independent Data Controllers.
The full, updated list of recipients is available upon request at the Data Controller's headquarters.
Nature of data provision
Provision of the requested data is optional; however, not providing, or partially or inaccurately providing the data highlighted as necessary may result in a failure to register for the newsletter.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries outside the EU or to international organisations. However, the Data Controller reserves the right to use cloud services; in this case, the transfer will take place to suppliers operating in countries deemed adequate pursuant to Article 45 or that provide the guarantees set out in Article 46 GDPR.
For further information on the transfer or to obtain a copy of the guarantees applied, contact the Data Controller using the above contact details.
Rights of the data subject
The data subject may exercise the rights provided for by GDPR 2016/679 at any time, including:
- access to their personal data and all other information referred to in Article 15;
- rectification of inaccurate data and/or completion of incomplete data (Article 16);
- erasure of data (data cannot be erased if it is obligatory for the information to be kept or if the Data Controller’s legitimate interest to continue the processing prevails over that of the data subject) (Article 17);
- restriction of processing in the cases indicated in Article 18;
- the right to receive personal data in a structured, machine-readable format and to transfer it to another Data Controller (Article 20);
- the right to object to the processing of data under the conditions set out in Article 21.
The data subject may exercise the aforementioned rights by writing to the Data Controller using the contact details given above, or by going to the above address, providing any identification details proving the legitimacy of the request.
With reference to Article 7 of the GDPR, the data subject may withdraw their consent at any time. If consent is withdrawn, by clicking on the link to unsubscribe from the newsletter at the bottom of each message, the newsletter will no longer be sent. The lawfulness of the data processing carried out prior to withdrawal remains unaffected.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Information for suppliers
This information is provided, pursuant to Article 13 GDPR 2016/679 – “European Regulation on the protection of personal data”, to suppliers (individual companies and firms) and to anyone holding professional roles and positions in the company.
Management of the contractual relationship with suppliers (legal persons) necessarily involves the processing of personal data (identification details, telephone numbers, email addresses) relating to directors, employees and associates with whom the supplier comes into contact.
Since it is difficult to send it directly to such persons, the information is made available to the suppliers with a request to notify the natural persons in question.
Data Controller
The Data Controller is Urmet SpA , in the person of its pro tempore legal representative, with registered office in via Bologna 188/C – 10154 Turin (TO), tel: 0112400000.
Data Protection Officer (“DPO”)
To ask questions about this privacy policy or about how the data are managed, contact the Data Controller's Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data
Personal data are those provided spontaneously by the data subject in the pre-contractual and contractual phases and fall into the following categories: personal and identification data (personal particulars, Tax/VAT no.), contact data, billing data, tax data, bank data, curriculum vitae.
Purpose of the processing
Personal data are processed in order to:
1) acquire pre-contractual data and information (e.g. qualification of the requirements possessed, evaluation of offers and estimates, preparation of documents);
2) manage the contractual relationship for the purchase of goods or services (e.g. management of orders and payments, exchange of communications relating to the management of the supply relationship, etc.);
3) manage the civil, accounting and tax obligations arising from the supply relationship;
4) prevent and manage possible disputes in and out of court.
Legal basis for the processing
The processing is carried out for
- the performance of a contract to which the data subject is party; to execute the pre-contractual measures adopted at its request (Article 6(b) GDPR) for purposes 1 and 2;
- a legal obligation (Article 6(c) GDPR) for purpose 3;
- the Data Controller's legitimate interest (to ascertain or defend the company's interests in legal proceedings).
Data retention
The Data Controller will retain and process personal data for the time necessary to fulfil the indicated purposes. In any case, documents of administrative relevance will be kept for 10 years from the termination of the supply relationship.
Data recipients
The personal data processed by the Data Controller will not be disclosed, that is, they will not be made known to unspecified parties, in any possible form, including making them available or simply consulting them.
The data may be disclosed to:
the Data Controller's employees, on the basis of the roles and work duties performed, who are authorised and trained to carry out processing operations;
expressly authorised internal and external consultants operating under the authority of the Data Controller;
external parties (service providers) designated as Data Controllers: e.g. professionals or companies providing accounting and tax, corporate and legal services, electronic data processing, management of information services (e.g. electronic invoicing, administrative management, supplier registry, etc.
They may also be sent to banks and competent public bodies (e.g. tax authorities).
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation. These entities act as independent Data Controllers.
The full, updated list of recipients is available upon request at the Data Controller's headquarters.
Nature of data provision
The provision of data is mandatory for the performance of the contractual relationship and for the fulfilment of the related legal obligations. Additional data (telephone number, email address, etc.) are essential for managing the organisational aspects. For this reason, their partial or incomplete disclosure could compromise the effective management of the contractual relationship.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries or to international organisations. However, the Data Controller reserves the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR 2016/679.
Rights of the data subject
The data subject may exercise the rights provided for by GDPR 2016/679 at any time, including:
- access to their personal data and all other information referred to in Article 15;
- rectification of inaccurate data and/or completion of incomplete data (Article 16);
- erasure of data (data cannot be erased if it is obligatory for the information to be kept or if the Data Controller’s legitimate interest to continue the processing prevails over that of the data subject) (Article 17);
- restriction of processing in the cases indicated in Article 18;
- the right to receive personal data in a structured, machine-readable format and to transfer it to another Data Controller (Article 20);
- the right to object to the processing of data under the conditions set out in Article 21.
The data subject may exercise the aforementioned rights by writing to the Data Controller using the contact details given above, or by going to the above address, providing any identification details proving the legitimacy of the request.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Information for visitors accessing the headquarters
This information is provided, pursuant to Article 13 GDPR 2016/679 – “European Regulation on the protection of personal data”, to all natural persons who access and are temporarily present at the headquarters of Urmet SpA.
Data Controller
The Data Controller is Urmet SpA , in the person of its pro tempore legal representative, with registered office in via Bologna 188/C – 10154 Turin (TO), tel: 0112400000.
Data Protection Officer (“DPO”)
To ask questions about this privacy policy or about how the data are managed, contact the Data Controller's Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data
Personal data are those provided spontaneously by the data subject at the time of:
· visits or interventions at the headquarters
· interviews or work sessions at the headquarters
· delivery or collection of goods, packages or correspondence.
Purpose of the processing
Personal data are processed for the following purposes:
1. control of access to the headquarters
2. record of time spent at the headquarters
3. identification of people present for the management of emergency situations.
Legal basis for the processing
The processing is carried out for: a legal obligation (Article 6(c) GDPR) for the management of emergencies and the Data Controller's legitimate interest (access control and record of time spent at the headquarters) (Article 6(f) GDPR)
Data retention
The recorded data will be erased one year after access.
Data recipients
The personal data processed by the Data Controller will not be disclosed, that is, they will not be made known to unspecified parties, in any possible form, including making them available or simply consulting them.
The data may be disclosed to:
the Data Controller's employees, on the basis of the roles and work duties performed, who are authorised and trained to carry out processing operations;
expressly authorised internal and external consultants operating under the authority of the Data Controller;
external parties (service providers) designated as Data Controllers: e.g. companies entrusted with the switchboard/reception service.
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation. These entities act as independent Data Controllers.
The full, updated list of recipients is available upon request at the Data Controller's headquarters.
Nature of data provision
The data subject may refuse to provide the Data Controller with their personal data since provision is optional. However, any refusal to provide such data will result in being denied access to the headquarters.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries or to international organisations. However, the Data Controller reserves the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR 2016/679.
Rights of the data subject
The data subject may exercise the rights provided for by GDPR 2016/679 at any time, including:
- access to their personal data and all other information referred to in Article 15;
- rectification of inaccurate data and/or completion of incomplete data (Article 16);
- erasure of data (data cannot be erased if it is obligatory for the information to be kept or if the Data Controller’s legitimate interest to continue the processing prevails over that of the data subject) (Article 17);
- restriction of processing in the cases indicated in Article 18;
- the right to receive personal data in a structured, machine-readable format and to transfer it to another Data Controller (Article 20);
- the right to object to the processing of data under the conditions set out in Article 21.
The data subject may exercise the aforementioned rights by contacting the Data Controller using the contact details given above, or by going to the above address, providing any identification details proving the legitimacy of the request.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
This information is provided, pursuant to Article 13-14 GDPR 2016/679 – “European Regulation on the protection of personal data”, to anyone who sends in a job application either spontaneously or in response to a staff recruitment advertisement.
Data Controller
The data controller is Urmet SpA , in the person of its pro tempore legal representative, with registered office in via Bologna 188/C – 10154 Turin (TO), tel: 0112400000
DPO
To ask questions about this privacy policy or about how the data are managed, contact the Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data
The personal data processed are acquired in response to an advertisement or, in the case of a spontaneous application:
• Directly from the data subject, by filling in the “Work with us” form on the website or sending through other channels (e.g. email);
• From third parties (e.g. Linkedin or recruiting companies that the Data Controller may use for the purpose of staff recruitment, reports from third parties);
• Directly from the data subject during evaluation interviews and pre-employment agreements.
The personal data mainly falls into the following categories:
• identification and contact data (name, surname, address, age, place and date of birth, image, email, telephone);
• personal data relating to education and work (CV, qualifications, professional training, skills and professional experience)
• data relating to evaluations connected to the selection process (evaluation questionnaires, selection reports)
Furthermore, in particular cases and always by virtue of the employment relationship being established, in addition to general data, the Data Controller may also come to know specific data (Article 9 GDPR) that may reveal, for example, the state of health or ethnic origin (e.g. belonging to a protected class, level of disability, etc.).
If the CV sent contains data that are not relevant for the purpose of evaluating the application, the Data Controller will refrain from using such information.
Purpose of the processing
Personal data are processed for the following purposes:
1. purposes related to evaluation and selection for job positions with the Data Controller or companies associated with the Data Controller;
2. possibly to propose in the future other job offers with the Data Controller or companies associated with the Data Controller that are consistent with the candidate's professional profile.
Legal basis for the processing
The legal basis for purpose 1 is the execution of pre-contractual measures adopted at the data subject’s request (Article 6(1)(b) of the GDPR); while for purpose 2 it is the Data Controller’s legitimate interest (Article 6(1)(f) of the GDPR).
Any special categories of data that are strictly necessary for the relevant purposes will be processed in accordance with Article 9(2)(b) of the GDPR, i.e. to fulfil the obligations and exercise the specific rights of the data controller or the data subject in the field of employment law.
Data retention
The personal data provided by the candidate are retained for the period necessary to carry out the appropriate assessments for hiring personnel and in any case no longer than 24 months from the closure of the selection process or from the date of the last update of the Portal. This period may be extended for job profiles requiring specific skills for which retention is envisaged for up to 5 years.
Nature of data provision
The provision of personal data by the candidate is optional. However, some data are essential for evaluating the application and managing the selection process phases.
Therefore, any refusal to provide such data in whole or in part may result in the candidate not being evaluated or selected for possible job positions.
Data recipients
The personal data processed by the Data Controller will not be disclosed, that is, they will not be made known to unspecified parties, in any possible form, including making them available or simply consulting them.
The data may be disclosed to:
the Data Controller's employees, on the basis of the roles and work duties performed, who are authorised and trained to carry out processing operations;
expressly authorised internal and external consultants operating under the authority of the Data Controller;
external parties designated as Data Processors, such as the provider of the Portal/web platform for collecting applications (InRecruiting, Linkedin, etc.).
Furthermore, the data may be shared with other associated companies if the candidate's profile is in line with open positions at these companies.
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation. These entities act as independent Data Controllers.
The full, updated list of recipients is available upon request at the Data Controller's headquarters.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries or to international organisations. However, the Data Controller reserves the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR 2016/679.
Automated decision-making processes
The Data Controller uses an AI algorithm to create a synopsis of the candidate's profile that summarises the contents of the CV, the information sheet filled out by the candidate, the evaluation sheets and the notes taken by the evaluators during interviews, in order to speed up the evaluation and selection process. Any direct identifying elements are removed from such documents before analysis by the algorithm.
The synopsis produced by the algorithm is always verified by the personnel office.
Rights of the data subject
The data subject may exercise the rights provided for by GDPR 2016/679 at any time, including:
- access to their personal data and all other information referred to in Article 15;
- rectification of inaccurate data and/or completion of incomplete data (Article 16);
- erasure of data, unless it is obligatory for the information to be kept or if the Data Controller’s legitimate interest to continue the processing prevails over that of the data subject (Article 17);
- objection to automated decision-making (Article 22).
The data subject also has the right to object to the processing carried out on the basis of the Data Controller's legitimate interest (Article 21). However, the Data Controller may reject the request if it can demonstrate compelling legitimate reasons to proceed with the processing.
The data subject may exercise the aforementioned rights by contacting the Data Controller using the contact details given above , providing any identification details proving the legitimacy of the request.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Whistleblowing information for reporting persons
This information is provided, pursuant to Article 13 of Regulation (EU) 2016/679 on the protection of personal data, to persons (e.g. directors, managers, employees, consultants, workers of suppliers, etc.) who report suspected irregularities or illicit acts in the workplace.
Data Controller
The data controller is Urmet SpA , in the person of its pro tempore legal representative, with registered office in via Bologna 188/C – 10154 Turin (TO), tel: 0112400000.
Data Protection Officer (“DPO”)
To ask questions about this privacy policy or about how the data are managed, contact the Data Controller's Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data
The personal data are provided by the whistleblower when making a report using the internal reporting channel made available by the Data Controller. In particular,
the name, surname and contact details of the reporting person (unless the report is anonymous);
a description of the facts and the event that are the subject of the report which may indirectly identify the whistleblower and/or reveal any information relating to special categories of data pursuant to Article 9 or Article 10 GDPR.
Purposes and methods of processing
1. Acquisition and management of internal whistleblowing reports of violations of national and European legislation, including the preliminary and investigative phases aimed at ascertaining any violations.
2. Any disclosure of the identity of the whistleblower to persons other than those competent to receive or follow up on expressly authorised reports.
The information provided and the identity of the whistleblower (if the report is not anonymous), will be treated as confidential at all stages of processing. In particular, the identity of the whistleblower and the content of the report, from which the identification of the reporting person can be derived, even indirectly, will not be disclosed to third parties, nor to the persons reported or to the managers of the organisational units to which they belong.
The identity of the reporting person may only be disclosed in the cases required by law or in the context of legal proceedings.
Legal basis for the processing
Personal data are processed to fulfil a legal obligation provided for by Legislative Decree 24/2023 (Article 6(1)(c) and Article 9(2)(g) GDPR and Article 2-octies of the Privacy Code) for purpose 1; express consent of the reporting person for purpose 2.
Data retention
Reports and the related documentation are kept for the time necessary for their management and, in any case, for no more than five years from the date of archiving the report. However, where applicable, such personal data may be retained for a longer period, if necessary for the application of sanctions or disciplinary measures.
Data recipients
The personal data and information provided may be viewed, processed and used by:
internal staff belonging to the office responsible for managing the reporting channel;
members of the supervisory board;
expressly authorised internal and external consultants operating under the authority of the Data Controller;
external provider of the reporting platform.
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries or to international organisations. However, the Data Controller reserves the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR 2016/679.
Rights of the data subject
The reporting person can exercise the rights provided by the GDPR. The following may be requested, in particular:
access to personal data and all other information relating to the report made (Article 15);
rectification or erasure of inaccurate data and completion of incomplete data (Article 16-17).
The whistleblower may at any time withdraw the consent given with reference to the disclosure of their identity to entities other than the competent entities using the reporting channel. This is without prejudice to the lawfulness of the disclosure of the whistleblower’s identity if it occurred before consent was withdrawn.
The whistleblower may exercise the aforementioned rights by contacting the Data Controller using the contact details given above, specifying the subject of the request and the right that is to be exercised and providing any suitable identification details proving the legitimacy of the request.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Whistleblowing information for third parties
This information is provided, pursuant to Article 14 of Regulation (EU) 2016/679 on the protection of personal data, to the reported persons, witnesses and other persons involved and mentioned in the report who can be identified.
Data Controller
The data controller is Urmet SpA , in the person of its pro tempore legal representative, with registered office in via Bologna 188/C – 10154 Turin (TO), tel: 0112400000.
Data Protection Officer (“DPO”)
To ask questions about this privacy policy or about how the data are managed, contact the Data Controller's Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data
Personal data are provided by the whistleblower when reporting using the internal channel made available by the Data Controller.
In the context of the acquired report, the Data Controller may process general data and any data belonging to specific categories pursuant to Article 9 and Article 10 GDPR that can be detected from the content of the report or acquired in subsequent investigative phases.
Purpose of the processing
Acquisition and management of internal whistleblowing reports of violations of national and European legislation, including the preliminary and investigative phases aimed at ascertaining any violations.
Legal basis for the processing
Personal data are processed to fulfil a legal obligation provided for by Legislative Decree 24/2023 (Article 6(1)(c) and Article 9(2)(g) GDPR and Article 2-octies of the Privacy Code).
Data retention
Reports and the related documentation are kept for the time necessary for their management and, in any case, for no more than five years from the date of archiving the report. However, where applicable, such personal data may be retained for a longer period, if necessary for the application of sanctions or disciplinary measures.
Data recipients
The personal data and information provided may be viewed, processed and used by:
1. internal staff belonging to the office responsible for managing the reporting channel;
2. members of the supervisory board;
3. expressly authorised internal and external consultants operating under the authority of the Data Controller;
4. external provider of the reporting platform.
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries or to international organisations. However, the Data Controller reserves the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR 2016/679.
Rights of the data subject
With reference to their personal data processed in the context of the report, the persons involved or mentioned in the report cannot exercise the rights provided for by the GDPR - for the time and to the extent that this constitutes a necessary and proportionate measure - in compliance with Article 23 of the GDPR and Article 2 undecies of the Privacy Code (Legislative Decree 196/2003 as amended). In fact, the exercise of such rights could effectively and concretely compromise the protection of the confidentiality of the identity of the reporting person and the correct performance of investigative activities.
The data subject also has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Cookie and website navigation information
This website belongs to Urmet SpA, which processes the data collected through the site in its capacity as Data Controller.
The Data Controller guarantees the security, confidentiality and protection of the data in its possession, or data that will come into its possession, at any stage of the processing, in compliance with the rules established by GDPR 2016/679 and in compliance with business secrecy.
This information is provided, pursuant to Article 13 GDPR 2016/679 – “European Regulation on the protection of personal data”, to users accessing and viewing the website.
This cookie and navigation information therefore describes the ways in which Urmet SpA uses cookies and similar technologies to collect and store information when the user visits the website or receives emails from the Data Controller.
The website may provide links or references to other third-party websites over which the Data Controller has no control. Such links, if present, are provided for the convenience of users of this website and the Data Controller shall have no liability in relation to such websites, and does not provide any indications regarding the accuracy or completeness of the information contained therein.
Identity of the Data Controller
The Data Controller for the processing indicated below is Urmet SpA with registered office in Via Bologna 188/C 10154 Turin, in the person of its pro tempore legal representative.
Identity of the DPO
To ask questions about this privacy policy or about how the data are managed, contact the Data Controller's Data Protection Officer (DPO) at dpo@urmet.com
Source and type of data processed
The website acquires information provided directly by the user when browsing the website which falls into the following categories: IP addresses or domain names used by visitors to connect to the website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server and other parameters relating to the operating system and the user's IT environment.
Processing methods
During their normal operation, the computer systems and software procedures used to operate this website acquire, some personal data whose transmission is implicit in the use of internet communication protocols.
Through processing and association with data held by third parties, this information, by its very nature, may allow users to be identified.
This information is not collected in order to be associated with identified data subjects but, by its very nature, through processing and association with data held by third parties, may allow users to be identified.
Policy on cookies, pixel tags and JavaScript tags
The website uses various types of cookies, in addition to pixel tags and/or JavaScript tags, to collect and store certain information about the user. A cookie is a small data file that the website sends and saves on the hard disk of the user's computer and/or device (hereinafter both referred to as "computer"); subsequently, when the user accesses the website, the cookies saved on the computer will send information to the entity that sent them.
Purpose of using cookies
Session cookies store relevant information along with the user's IP address and cookie identifier. These cookies are associated with activities necessary for the use of the website (for example, they are used to navigate the website without having to re-enter login data) and are then deleted from the user's computer once the browser is closed.
Permanent cookies are stored on first access to a website, in order to recognise the user as a visitor. This cookie is updated with a date and time stamp every time the user returns to the website, and stores information about the pages viewed to potentially show the user personalised information based on previously detected preferences. Permanent cookies remain on the user’s computer after the browser has been closed, but they can be deleted at any time using the browser settings.
Cookies are also divided into "first-party cookies" and "third-party cookies".
First-party cookies are set directly on the user's computer, with the sole purpose of recognising the user on subsequent visits.
Third-party cookies are sent by an independent service provider acting on behalf of the Data Controller and may be used by such third-party service provider to recognise users when they visit the website or third-party websites. Although the Data Controller may allow third-party service providers to access the website to send these cookies to users' computers in accordance with applicable laws, as illustrated in this Cookie Policy, the Data Controller does not have any control over the information collected by the cookies nor does it retain access to such data, which are immediately disclosed to the third parties that collect them.
Social media tools
The website may offer access to social media tools provided by social networking platforms such as Facebook, Google, LinkedIn and Twitter. Users who decide to use such tools by activating the social media tool can share certain personal data with their friends and these social network platforms. Sharing activities are subject to the privacy policies of each social network. Specifically, tools from the Facebook social network are also offered to allow Facebook to share friends’ information and activities with its registered users while browsing our website.
Cookies used, purpose of processing, data retention period
The cookies used in the various sections of the URMET SpA website are listed below:
technical cookies (first-party) to ensure correct functioning and to improve the user's browsing experience: session cookies fall into this category and such data are not retained).
performance cookies (first-party): this category includes Analytics cookies used to collect and analyse information for statistical analysis on access and visits to the website; the retention period for this category of cookies is 2 years.
cookies for targeted advertising (first-party and third-party)
For further details, please see the Cookie policy https://www.urmet.com/it-it/Professionista/Cookies
Legal basis for the processing
Technical cookies are used in the Data Controller's legitimate interest (acquisition of the information needed to ensure the functioning of the website, to carry out the transmission of communications via electronic protocols, saving browsing preferences and logins); the remaining cookies are used with the data subject’s consent by express acceptance through the appropriate banner.
Data recipients
The acquired data may be disclosed to:
authorised personnel (employees and associates) of the company
external parties designated as Data Controllers (companies and professionals who provide website management and maintenance services, information and hosting services)
Finally, the data may be disclosed to the entities entitled to access them under legal provisions, regulations and EU legislation. These entities act as independent Data Controllers.
Personal data are in no case disclosed to unspecified parties.
The complete list of Data Controllers is available upon request.
Data transfer
Under no circumstances will the Data Controller transfer personal data to third countries or to international organisations.
However, the Data Controller reserves the right to use cloud services; in this case, the service providers will be selected from among those reside in countries for which an adequacy decision is required (Article 45 GDPR) or that provide adequate guarantees, as required by Article 46 GDPR.
Withdrawal of consent
With reference to Article 7 of GDPR 2016/679, the data subject may withdraw consent at any time through the specific preference management area at the bottom of the page showing the status of previously given consents.
The system will track changes and updates to any consents given. Withdrawing consent will block the use of analytical and advertising cookies without affecting browsing.
Cookies can be disabled at any time by following the instructions provided by the browser.
Refusal to provide data
Technical cookies must be accepted in order to browse the website. Accepting the remaining cookies is optional and takes place with the user’s express consent. If they are not accepted, there may be some restrictions in the use of some features of the website or it may prevent the use of benefits connected to the services or products offered by the Data Controller.
Rights of the data subject
The data subject may exercise the rights provided for by GDPR 2016/679 (Article 15 – 22) at any time.
The following may be requested, in particular:
whether their personal data are being processed and - if confirmed - to obtain a copy of such data (“right of access”);
the rectification of inaccurate data and the completion of incomplete data (“right to rectification”);
the erasure of data or the right to be “forgotten”, unless there are obligations to retain the data or the Data Controller’s legitimate interests (the “right to erasure”);
that the processing of their data be restricted (the “right to restriction”);
that the data provided to the Data Controller be transferred to another Data Controller (“right to portability”), only if the processing is based on consent or on a contract;
objection to the processing of personal data for reasons related to the data subject’s particular situation, to be specified in the request;
The data subject may exercise the aforementioned rights by writing to the Data Controller at the email address above, specifying the subject of the request and the right that is to be exercised, providing any suitable identification details proving the legitimacy of the request.
Complaints
The data subject has the right to lodge a complaint with the supervisory authority of their country of residence (Data Protection Authority).
Automated decision-making processes
The Data Controller will not, under any circumstances, carry out processing operations consisting of automated decision-making processes on personal data .