In accordance with article 13 of the UE regulation 2016/679
NOVALUX SRL (controller), as the processing controller, in accordance with art 13 of the UE Regulation 2016/679 (Privacy regulation) and subsequent amendments and integrations, collect and then processes personal data of its customers and suppliers (data subject)
1. Types of processed data
Personal data subject to processing are:
“Common” personal data. These information include, for example, personal data, contact data (e-mail address and telephone number)
2. Purpose and method of processing
data subject’s personal data are processed during the ordinary controller activity, in order to pursue the following purposes.
1. Complete and correct fulfilment of obligations of the contractual relationship established (Contract)
2. Administrative and accounting fulfilments strictly linked to the contract
3. Fulfilments of specific obligations provided by the Law, a regulation or a community legislation
4. Promotional activities related to product and services similar to the ones already bought
5. Marketing: promotional and commercial activities involving also newsletter mail.
The processing of personal data takes place under the authority of the controller, by persons specifically put in charge, authorized and trained in processing method, in accordance with art. 30 of the Codice Privacy and art. 29 of the Privacy Regulation, through manual, computerized or telematic tools, with logics strictly related to the purposes and in any case in order to guarantee the confidentiality and safety of personal data. The processing of personal data may also take place, on behalf of the controller, by the Data Processors specifically designated in accordance with art. 29 of the Codice Privacy and art. 28 of the privacy regulation.
3. Legal basis of the processing and nature of the provision
With reference to the purposes referred to in paragraph 2, points 1,2,3 above, the provision of personal data is mandatory and constitutes a necessary requirement for the execution of the Contract and the related tax and administrative obligations. Failure to provide data determines the inability to receive the service covered by the Contract itself. The legal basis of the related processing is the correct execution and management of the Contract.
With reference to point 4) -activities towards acquired customers-, the legal basis is the legitimate interest of the controller. The customer may stop receiving these communications by e-mail at any time.
With reference to point 5) - marketing activity - the legal basis is consent. In case of lack of consent, it will not be possible to proceed with marketing activities.
4. Subjects or categories of subjects to whom personal data can be communicated and scope of communication.
In relation to the purposes of the process indicated above, and within the strictly relevant limits to the same, personal data of the subject party will be or may be disclosed to the following categories of subjects:
1 to the Financial Administration and other public authorities, where required by law or upon their request;
2 to credit institutions for payment orders or other financial instrumental for the execution of the Contract;
3 external subjects that exercise control activities, such as independent auditors, board of statutory auditors, supervisory body;
4 companies and organizations for credit management and / or for the protection of interests and rights;
5 subjects designated as external data processors pursuant to art. 28 of the Privacy Regulation, for related or consequent activities to the execution of the Contract
The updated list of the indicated parties and the Data Processors can be provided by the data subject upon request.
5. Extra-EU data transfer
Personal data will not be transferred to non-EU countries; unless for reasons arising from the execution of the contract, or the fulfillment of legal obligations, a transfer to non-EU countries and / or organizations is necessary, that transfer will take place in compliance with applicable law. The transfers will be made through adequate guarantees, such as adequacy decisions, standard contractual clauses approved by the European Commission or other legal instruments.
6. Data retention period or criteria for determining the period
Personal data of the data subject are kept by the controller for the time necessary to fulfill the purposes referred to in paragraph no. 2 (points 1 to 3), as well as for that prescribed by civil, fiscal and regulatory rules and in any case no longer than 10 years from the termination of the contract.
Regarding the promotional purposes towards customers already acquired (paragraph 2, point 4) the data of the data subject will be processed until the exercise of the right of opposition (activated at the beginning, on the occasion of sending the individual communications and / or through direct contact of the controller) and in any case no later than 24 months from collection.
For the marketing purposes explained in paragraph 2) point 5, the retention period is 24 months from the acquisition of consent.
Once the retention periods have elapsed, data will be anonymized or deleted, unless it is necessary to keep them for other purposes foreseen by express provision of the law.
7. Rights of the data subject.
Article 15 and seq. of the Privacy Regulation give the data subject the right to:
access to personal data, (or a copy of such personal data), as well as to further information on current treatments;
correct or update of personal data processed by the Data Controller, if they are incomplete or out of date;
delete personal data from the controller's databases in the cases provided for by current legislation;
limitate processing of personal data by the Data Controller;
Obtain a structured format, commonly used and readable by an automatic device for personal data concerning him;
opposite to the processing of personal data by the Data Controller (eg promotional activities)
The data subject can exercise his rights by writing to NOVALUX SRL at the following email address: firstname.lastname@example.org.
In any case, you always have the right to lodge a complaint with the competent Control Authority (Garante per la Protezione dei Dati Personali).
The controller has the right to modify, update, add or remove parts of this information, by giving notice to the data subjects.
Information updated in July 2020.