PRIVACY INFORMATION STATEMENT
IN ACCORDANCE WITH ARTICLE 13 OF THE REGULATION EU 2016/679 as amended and supplemented thereto.
Dear Data Subject,
With this document, the Company CARPAD SPA provides information regarding the processing characteristics and methods of your personal data in compliance with the provisions of the GDPR and the applicable Privacy Code.
Each processing of your personal data will be based on principles of lawfulness, correctness and transparency.
1) IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
The Data Controller (hereinafter “Data Controller” or “the Company”) is CARPAD SPA, with head office located in 35014 Fontaniva (PD), Viale Dell’Industria, 16, VAT number 01747990289, Economic and Administrative Index no. PD – 180262, share capital of Euro 3,000,000.00, as represented by its pro tempore legal representative that can also be contacted at the following contact details: tel.: +39 049 594 2430; Fax: +39 049 594 1525. Certified Email Address: carpadspa@legalmail.it.
2) TYPE OF DATA SUBJECT TO PROCESSING
The Data Controller will process your personal data and contact details (such as name, surname, address, email and telephone number) that you provided directly by filling out the special data collection form under the “Contact” section on the Data Controller’s website.
3) MEANING OF PROCESSING
In accordance with Article 4 (2) of the GDPR, "processing” means “any operation or series of operations performed with or without the help of automated processes, applied to the personal data or series of personal data, such as collection, registration, sorting, structuring, preservation, adaptation or modification, extraction, consultation, use, disclosure through transfer, dissemination or any other form made available, comparison or interconnection, limitation, deletion or destruction”.
4) PURPOSES AND LEGAL BASIS OF DATA PROCESSING
The Data Collector gathers and processes your personal data for the following purposes:
respond to your message or your information request; the legal basis for said purposes is the legitimate interest of the data controller pursuant to article 6, paragraph I, letter (f) of the GDPR to be identified in the reasonable expectation that the user expects its personal data to be processed by the Data Controller to respond to its request.
5) DATA PROCESSING METHOD
The processing will take place using electronic, computerised and manual instruments.
The data is processed by the Data Controller and collaborators or employees of the Data Controller as persons authorised to the processing, as well as by data processors specifically designated in writing as part of their respective functions and in compliance with the instructions given by the Data Controller thereby ensuring the use of adequate measures to protect the processed data while guaranteeing their confidentiality. According to the provisions of the GDPR, the data processed by the data controller is based on principles of lawfulness, correctness and transparency, purpose limitation and preservation, data minimisation, accuracy, integrity and confidentiality.
The data will always be processed with the utmost compliance of principles of confidentiality even if managed by third parties expressly assigned by the Data Controller.
Your personal data will not be subject to any automated decisional process or profiling.
6) RETENTION TIME – NATURE OF DATA PROVISION
For the purposes intended, the provision of your personal data is mandatory for purposes of responding to your request, provided that a failure to grant said data on your part will result in the inability for the Data Controller to respond to your message.
Your personal data will be kept for the time necessary to process the information request.
Beyond said term or once the request is processed, your data will be destroyed or made anonymous. The Data Controller will delete the data irreversibly using secure destruction or deletion methods or will preserve the data in anonymous form that does not allow, even indirectly, the identification of your data, in compliance with technical deletion and backup procedures.
The verification on the obsolescence of the data stored in relation to the purposes for which they were collected is performed periodically.
7) RECIPIENTS OF PERSONAL DATA
The personal data that you provide may be accessible to the Data Controller, those authorised and data processors.
The Data Subject’s personal data is disclosed primarily to third parties or recipients whose activities are required to execute the established contracts and meet certain obligations of law. Any categories of recipients that may access your personal data during or after the execution of the contract, are:
- persons who process data based on specific obligations of law (national or government entities, etc);
- software and hardware assistance companies;
- internal or external consultants that provide functional services that derive or are connected to the above-described purposes, identified in writing and for which specific instructions are given in writing with reference to the personal data processing, including management software providers, cloud platform providers and similar;
- companies or professionals for legal and out-of-court cases regarding the rights of the Data Controller;
- in general, to any public or private individual whenever disclosure is necessary for the proper and complete fulfilment of the above-mentioned purposes.
The same data may be disclosed to welfare, social security or insurance entities only with the specific request of the data subject.
An updated list of Data Processors may be requested at any time to the Data Controller.
8) DATA DISSEMINATION
Unless agreed with specific written request or due to an order of the judicial authority/mandatory obligation, the personal data that you provide will not be subject to dissemination.
9) TRANSFER OF PERSONAL DATA ABROAD
The data collected will not be transferred to third countries or international organisations.
Some personal data of data subjects are shared with recipients that could be located outside the European Economic Area. If this takes place or the transfer of data provided on services located in countries outside the EU is necessary, the Data Controller guarantees that the transfer and processing shall take place in compliance with applicable regulations or that said transfers take place through adequate guarantees, such as adequacy decisions, contractual clauses approved by the European Commission or other legal instruments.
10) RIGHTS OF THE DATA SUBJECT
The regulation allows the Data Subject to exercise specific rights outlined in articles 15 through 22 of the GDPR, including the right to obtain confirmation of the existence or otherwise of personal data concerning them, the communication in intelligible form, as well as their rectification, deletion, restriction or objection to data processing for legitimate reasons or withdrawal of their consent at any time (notwithstanding the consequences outlined herein) or the right to request portability of data regarding data subject to specific consent or their updating.
The data subject has the right to know the origin of the personal data, the purpose and the methods of processing, the logic applied in the processing, the identification data concerning the data controller and the persons to whom the data may be disclosed.
Moreover, the data subject has the right to request the transformation of the data in anonymous form, the restriction or blocking of the data processed in breach of law. Furthermore, the data subject may lodge a complaint with the Data Protection Authority for unauthorised processing of the data provided, following the methods published on the website of said authorities (http://www.garanteprivacy.it/).
Requests regarding the exercise of the above rights can be addressed to the Data Controller, to the contact details specified above, without formalities or alternatively using the provided form or using the form provided by the Data Protection Authority which can be downloaded from: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924.
It must be noted that the Data Protection Authority's head office is located in Rome, Piazza Monte Citorio no. 121: Fax: (+39) 06.69677.3785, Telephone Number (+39) 06.696771; e-mail: garante@gpdp.it; certified email address: protocollo@pec.gpdp.it
11) RIGHT TO LODGE A COMPLAINT
If the data subject believes that the data is processed in breach of the above regulations, the latter may lodge a complaint with the Data Protection Authority (to the following email address: garante@gpdp.it, or lodge a complaint by post to the Data Protection Authority, with offices located in Rome (Italy), Piazza Venezia 11, Scala B, postcode 00187, as envisaged in article 77 of the GDPR or take the appropriate legal actions as set out in article 79 of the GDPR.
12) CHANGES TO THIS PRIVACY INFORMATION STATEMENT
This privacy information statement is subject to change over time depending on the possible enter into force of new regulations, the updating or provision of new services or depending on intervening technological innovations.
Date of last update: 15 October 2024