PRIVACY INFORMATION STATEMENT
IN ACCORDANCE WITH ARTICLE 13 OF THE EU REGULATION 2016/679(GDPR)

Dear Data Subject,

With this document, the Company CARPAD SPA provides information regarding the processing characteristics and methods of your personal data in compliance with the provisions of the GDPR and the applicable Privacy Code.

Each processing of your personal data will be based on principles of lawfulness, correctness and transparency.

1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER

The Data Controller (hereinafter “Data Controller” or “the Company”) is CARPAD SPA, with head office located in 35014 Fontaniva (PD), Viale Dell’Industria, 16, VAT number 01747990289, Economic and Administrative Index no. PD – 180262, as represented by its pro tempore legal representative that can also be contacted at the following contact details:

tel.: +39 049 594 2430

Fax: +39 049 594 1525

Certified Email Address: carpadspa@legalmail.it

2. TYPES OF PERSONAL DATA PROCESSED. PURPOSES AND LEGAL BASIS OF DATA PROCESSING.

The Data Controller gathers and processes personal data in order to identify the Data Subject, directly or indirectly, data of which includes by way of example, personal data, contact details, economic and banking data. The Data Controller gathers and processes said data for the following purposes:

- To establish and execute a contact to which the Data Subject is party or perform pre-contractual measures adopted upon request of the latter (“contractual purposes”);

- To fulfil obligations of law, regulations and provisions issued by authorities entitled to do so or by regulatory or control authorities (“legal purposes”).

The legal basis that legitimises the data processing consists of the following:

- For pre-contractual and contractual purposes, based on the need to guarantee the proper management and performance of the pre-contractual and contractual agreement (article 6, paragraph 1 letter B, GDPR), and therefore it does not require your express consent;

- For legal purposes, based on the need to guarantee the fulfilment of the obligations set out by national and supranational laws (article 6, paragraph 1, letter C, GDPR) and therefore it does not require your express consent.

3. DATA PROCESSING METHODS.

The Data will be processed with the use of manual and computerised instruments (by way of example, but not limited to corporate IT devices, the internet and intranet, management software, corporate email, access control systems, etc.) with methods and appropriate instruments that can guarantee utmost security.

The processing will conform to principles of correctness, lawfulness, transparency, necessity and in such a manner as to protect the confidentiality of the Data. The Data will not be subject to any automated decisional process.

4. RETENTION PERIOD.

The retention period of the personal data starts from the time the data is provided when the services start; the personal data is kept for as long as necessary to fulfil the purpose for which it was collected or for the time required by law, regulations and national and EU provisions to which the Company must conform.

In particular, keep in mind that:

In compliance with regulations currently in force and the statute of limitations set out by law for rights regarding the services, the retention period currently applicable and in this case, applied, is of ten years for the personal data and payment details (effective as of the end of the services).

The above without prejudice to cases in which rights of the contract are challenged before the courts, in this case the personal data of the Data Subject, exclusively those required for said purposes, will be processed for the time that is essential to pursue them.

- Administrative, accounting and tax purposes: Up to 10 years after the termination of the contract;

- Purposes of investigation and prosecution of offences: 12/24/72 months, as set out by specific provisions;

- Retention purposes set out by obligations of law (for example statutory limitations of rights): Up to 10 years after the termination of the contract

5. DATA PROCESSORS. RECIPIENTS OF PERSONAL DATA.

Those authorised by the Data Controller are responsible for processing the data based on their respective roles, while the Data Processors designated in writing carry out the same role within the scope of their duties. The processing takes place in compliance with the instructions provided by the Data Controller, ensuring the adoption of appropriate security measures to protect the data processed while guaranteeing its confidentiality. A full list of Data Processors is available upon request.

Furthermore, the data could be communicated to third parties if necessary to fulfil the purposes described above.

6. TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EU.

The data gathered will not be transferred by the Data Controller to Countries outside the European Economic Area or to international organisations.

Nevertheless, some personal data could be shared with recipients who may be located outside the European Economic Area. In the event of this circumstance and if a transfer of the data provided is necessary on servers located in countries outside the EU, the Data Controller shall ensure that the transfer and processing take place in compliance with applicable laws, namely by applying appropriate guarantees, such as adequacy decisions, contractual clauses approved by the European Commission or other legal instruments.

7. NATURE OF DATA PROVISION.

The provision of the personal data is necessary to fulfil legal and contractual obligations and therefore, a failure to provide such data in part or in whole will result in the inability for the Data Controller to perform its duties relating to the contract and obligations of law imposed on the Data Controller.

8. RIGHTS OF THE DATA SUBJECT

The regulation allows the Data Subject to exercise specific rights outlined in articles 15 through 22 of the GDPR, including the right to obtain confirmation of the existence or otherwise of personal data concerning them, the communication in intelligible form, as well as their rectification, deletion, restriction or objection to data processing for legitimate reasons or withdrawal of their consent at any time (notwithstanding the consequences outlined herein) or the right to request portability of data regarding data subject to specific consent or their updating.

The data subject has the right to know the origin of the personal data, the purpose and the methods of processing, the logic applied in the processing, the identification data concerning the data controller and the persons to whom the data may be disclosed.

Moreover, the data subject has the right to request the transformation of the data in anonymous form, the restriction or blocking of the data processed in breach of law. Furthermore, the data subject may lodge a complaint with the Data Protection Authority for unauthorised processing of the data provided, following the methods published on the website of said authorities (http://www.garanteprivacy.it/).

Requests regarding the exercise of the above rights can be addressed to the Data Controller, to the contact details specified above, without formalities or alternatively using the provided form or using the form provided by the Data Protection Authority which can be downloaded from: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924.

It must be noted that the Data Protection Authority's head office is located in Rome, piazza Monte Citorio n. 121; Fax: (+39) 06.69677.3785; Main phone number: (+39) 06.696771; e-mail: garante@gpdp.it; certified email address: protocollo@pec.gpdp.it.

9. RIGHT TO LODGE A COMPLAINT

If the data subject believes that the data is processed in breach of the above regulations, the latter may lodge a complaint with the Data Protection Authority (to the following email address: garante@gpdp.it, or lodge a complaint by post to the Data Protection Authority, with offices located in Rome (Italy), Piazza Venezia 11, Scala B, postcode 00187, as envisaged in article 77 of the GDPR or take the appropriate legal actions as set out in article 79 of the GDPR.

10. CHANGES TO THIS PRIVACY INFORMATION STATEMENT

This privacy information statement is subject to change over time depending on the possible enter into force of new regulations, the updating or provision of new services or depending on intervening technological innovations.

Date of last update: 15 October 2024.

Cookie

Domain

Type

Description

Duration

django_language

carpadspa.com

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

This cookie is used to store the user-selected language.

Session

sessionid

carpadspa.com

Necessary

Used to keep the browsing session active.

2 weeks

csrftoken

carpadspa.com

Necessary

Automatically generated, necessary for the functioning of the website. It does not contain personal user information.

1 year

_ga

.carpadspa.com

Statistics

Installed by Google Analytics, used to store and count page views.

1 year

_ga_0K6PNP22M0

.carpadspa.com

Statistics

Installed by Google Analytics, used to store and count page views.

1 year

_gat

.carpadspa.com

Statistics

Installed by Google Analytics to read and filter bot requests.

10 minutes

__Secure-3PSID __Secure-3PSIDCC __Secure-1PSID __Secure-1PAPISID __Secure-1PSIDCC

.google.com

Advertising

Google may use these cookies to build a profile of website visitors’ interests to show relevant and personalized ads through retargeting.

1 year

AEC
APISID
HSID
NID
SAPISID
SID*
SSID
SOCS

.google.com

Advertising

Google may use these cookies for security purposes, remembering your preferences, gathering information about videos watched for analytics and advertising purposes, and collecting data linked to your Google account.

between 180 and 400 days

_GRECAPTCHA

www.google.com

Functional

Installed by Google reCAPTCHA to provide protection from spam.

6 months

cc_cookie

carpadspa.com

Necessary

This cookie is set by the website to store the user's cookie preferences.

6 months