INFORMATION NOTE PURSUANT TO ARTICLE 13, paragraph 1, OF THE EUROPEAN REGULATION (G.D.P.R.) 2016/67
K.F.I. S.r.l., with registered office in via delle Scienze 21, 20082 Binasco (MI), Tax Code and VAT no 10448500156, as data controller (hereinafter “Data Controller”), in its capacity of data controller hereby informs you that your data will be processed with the following methods and purposes, pursuant to art. 13, § 1, EU Regulation no 2016/679 (hereinafter “GDPR”):
1. Subject-matter of processing
The Data Controller processes your personal identifying non-sensitive data (in particular, name, surname, tax code, vat number, email, phone number, your images – hereinafter “personal data” or “data”) notified by you when registering on the Data Controller’s website and/or when subscribing to the newsletter offered by the Data Controller and/or when signing consultancy proposals for acceptance.
2. Purpose of processing
Your personal data are processed:
A) without your express consent (art. 6 let. b, e of the GDPR), for the following Service Purposes:
– to enable you to register on the website;
– to manage and maintain the website;
– to enable you to subscribe to the newsletter service supplied by the Data Controller and to additional Services you may have requested;
– to fulfil the pre-contractual, contractual and tax obligations deriving from relationships already in place;
– to fulfil obligations laid down by law, regulations, community legislation or by an order of the Authorities;
– to prevent or uncover fraudulent activities or harmful practices towards the website;
– to exercise the Data Controller’s rights, for example the right to legal defence.
Data subject’s rights (art. 15-21 GDPR)
In addition to the already specified right of access according to art. 15 GDPR in order to know the existence of the processing, its purposes, the categories of processed data, the recipients to whom the data have or will be communicated, in particular where these consist of third countries or international organisations, the storage period or the criteria employed to determine this, the data subject may ask for the rectification or cancellation of the personal data or the restriction of the processing and may oppose their processing; he/she may also lodge a complaint to a supervisory authority, obtain information regarding the origin of the data, where not personally supplied, the existence of an automated decision process, including profiling according to art. 22, § 1 and 4 (and in such case, significant information concerning the logic employed), the guarantee of adequate safeguards in case of transmission to third countries, obtain a copy of the data held by the Data Controller, revoke consent and the portability of the data.
Please note the Data Controller does not carry out profiling activities, does not transfer data to third countries and does not process data of underage persons
B) Only after your prior and specific consent (art. 7 GDPR), for the following marketing purposes:
– to send you newsletters, commercial notices and/or publicity material by email concerning products or services offered by the Data Controller.
Please note that if you are already our customer, we could send you commercial information concerning products or services of the Data Controller similar to those you have already enjoyed, until your consent is revoked or you request cancellation.
C) The Data Controller will process the data for the time necessary to fulfil the above quoted purposes and in case for no longer than 10 years from the end of the relationship for Service Purposes and for no longer than 2 years for Marketing Purposes, without prejudice to the right to cancellation or of revoking consent.
3. Access to your data by parties other than the Data Controller
Your data may be transmitted for the purposes outlined in art. 2.A) and 2.B):
– to employees or collaborators of the Data Controller, in their capacity of processors and/or internal processing officers and/or system administrators;
– to third parties (for example, providers for the management and maintenance of the website, suppliers, credit institutions, professional studios etc.) who carry out outsourcing activities on behalf of the Data Controller, in their capacity of external data processors.
4. Data communication
Without your express consent, (ex art. 24 let. a), b), d) of the Privacy Code and art. 6 let. b) and c) of the GDPR), the Data Controller may notify your data for the purposes laid down in art. 2.A) to Supervisory Bodies, Judicial Authorities as well as to all other subjects to whom the communication is legally mandatory in order to fulfil the purposes described. Your data will not be disseminated.
5. Data transfer
Personal data will be managed and stored on servers located within the European Union where the Data Controller and/or third party companies appointed and duly nominated as data processors are located. These servers are currently located in ITALY. Data will not be transmitted outside the European Union. In any case, it is understood that where necessary, the Data Controller will have the right to move the servers’ location in Italy and/or the European Union and/or countries outside the EU. In such a case, the Data Controller guarantees as of now that the transfer of data outside the EU will occur in accordance with the applicable legislation, by concluding agreements where necessary which guarantee an adequate level of protection and/or by adopting the standard contractual clauses laid down by the European Commission.
6. Procedure for exercising the rights
You may exercise your rights at any time by sending:
– a registered letter with acknowledgement of receipt to K.F.I. S.r.l. Via delle Scienze n 21 20082 Binasco (MI)
– an email to the address firstname.lastname@example.org
7. Underage persons
The Website and the Services offered by the Data Controller are not aimed at persons under 18 years of age and the Data Controller does not intentionally collect personal information concerning underage persons. Should data concerning underage persons be collected unintentionally, the Data Controller will erase these immediately, on the user’s request
8. Data Controller, processors and data protection officer
The Data Controller is K.F.I. S.r.l.
The updated list of the processing officers and processors is kept at the Data Controller’s registered office.
The data controller declares no data are processed for which a data protection officer (DPO) is mandatory.
9. Changes to this Information note
This Information note may be subject to changes. We recommend checking this Information note on a regular basis and to refer to the latest updated version on the website:
Declaration pursuant to art. 32
The Data Controller also declares to have adopted technical and organisational measures suitable to guarantee the safety of the processing carried out.