Information on data processing and data protection (Articles 13 and 14 GDPR)
Pursuant to and in accordance with the combined provisions of European Regulation 2016/679 (General Data Protection Regulation, hereinafter "GDPR") and Legislative Decree 196/2003 as amended (Legislative Decree 101/2018), the company GENERAL FRUIT SRL, as the Data Controller (hereinafter "Controller"), informs the following:
Art. 1. Data controller (who is data processor).
GENERAL FRUIT SRL
Registered office: Via Torquato Tasso, 8/10 -24060 Credaro (BG), Italy. VAT n. 0107293016
e-mail address: firstname.lastname@example.org – certified email: email@example.com
Art. 2. Purpose and legal basis for processing: why the data are being processed and what the processing is justified by
As part of business activity, the acquisition and processing of personal data of customers, including banking data, are necessary to properly execute the provision of the requested service and/or product (by signing the quote, order and/or contract) and to fulfil the related obligations under civil and tax laws, so consent is not required.
The purposes for which the specific and explicit consent of the data subjects are not required are:
- to provide the requested product/service;
- to issue quotations, formulate contract proposals, issue invoices, replies to requests from interested parties (e.g., requests received by e-mail, telephone);
- fulfil pre-contractual, contractual and tax obligations consequent to such activity of the Controller;
- fulfil the obligations required by law, regulation, EU legislation or an order of the Authority;
- to exercise the rights of the Data Controller, such as any right of defence in court.
The refusal to provide all or some of the data requested for the purpose and/or the provision of incomplete and/or untrue data by the data subjects prevents the Data Controller from fulfilling its obligations.
The legal basis legitimizing the processing of data is:
- Execution of a contract to which the person concerned is part of and/or fulfilment of legal obligations.
Art. 3. Method of processing: how the data are processed
The Data Controller, to achieve the purposes of Art. 2 processes common data (e.g., first name, last name, company name, e-mail address, telephone number, PEC address, SDI code, bank and payment references, tax code, VAT number).
Unless voluntarily communicated by the data subjects, the Data Controller does not process particular data pursuant to Art. 9 of the GDPR (e.g., data related to health, political affiliation, union membership, etc.) and/or judicial data pursuant to Art. 10 of the GDPR (e.g., data referring to criminal convictions and/or crimes).
The data are processed to the extent strictly necessary to achieve the purposes set out in Art. 2 above, also with the aid of electronic or, in any case, automated means (IT tools) and the processing may also be carried out through the Owner's website.
In any case, the data processing is carried out with the adoption of all appropriate measures to ensure the security and confidentiality of the personal data of the interested parties, in particular in compliance with the security measures referred to in Article 32 of the GDPR and according to the principles of lawfulness, necessity and proportionality.
Art. 4. Data storage: where and for how long the data are kept
Data are processed and stored at the Controller's offices and on the company’s tools (e.g., computers). All data (paper and digital) are protected by appropriate security systems so as to ensure their confidentiality and preservation. All data are physically stored in Italy. The suppliers have been selected so as to ensure the safeguarding and confidentiality of data. These devices are physically located within the EU. Any transfers to a third country outside the EU or to International Organizations will take place, however, on the basis of an adaptability decision of the Commission or, in the case of transfers referred in Articles 46, 47 or 49, second paragraph of the European Regulation EU/2016/679 (GDPR), on the basis of appropriate and adequate safeguards.
The Data Controller retains personal data for as long as necessary to fulfil the purposes set forth in Article 2 above, in particular for the duration of the contractual relationship with customers, to fulfil the obligations imposed by current tax and anti-money laundering regulations. Personal data may be kept for a longer period in the case of any litigation, for the entire duration of the litigation, to allow the exercise of the Holder's right of defence in and out of court.
The data collected and processed with reference to Art. 2 will be retained for as long as the Data Controller is subject to retention obligations for tax purposes (10 years) or for other purposes required by law or company regulations.
Art. 5. Communication and transmission of data: to whom the data are communicated
Data are not subject to communication to third parties, except for obligations arising from the law. In fulfilment of these obligations, the personal data, including banking data, of customers may be transmitted to third parties who carry out the processing on behalf of the Data Controller in their capacity as external Data Processors appointed in accordance with Art. 28 GDPR (by way of example, the accountant for billing data, IT consultants for the technical support relationship, etc.).
Personal data may also be communicated to Credit Institutions, Insurance Companies, law firms for the management of any disputes and the exercise of the right of defence of the Data Controller, the competent Public Security Authorities for investigation and inspection activities, employees and/or collaborators of the Data Controller in the performance of their normal work and/or collaboration activities, as persons authorized to process the data.
The updated list of such people is in any case available at the offices of the Data Controller.
Your data will not be disseminated and no data is resold to third parties.
Art. 6. Rights of data subjects (Art. 15 et seq. of the GDPR).
Art. 15 Right of access, including the right to obtain an indication of the planned period of storage of personal data, or if this is not possible the criteria used to determine this period. Right to obtain information on the origin of the data collected, as well as the purposes and methods of processing. Right to file a complaint at any time with the Supervisory Authority (Granter Privacy: Piazza Venezia nr. 11, 00187 ROMA, Tel. +39 06 696771 - PEC: firstname.lastname@example.org); Art. 16 Right of the data subject to obtain the update, correction or integration of personal data; Art. 17 Right to erasure and the right to be forgotten; Art. 18 Right to restriction of processing, when provided ; Art. 19 Obligation of the data controller to notify the rectification, erasure and/or restriction; Art. 20 Right to data portability, when the technology in place allows it; Art. 21 Right to object, at any time for reasons related to your particular situation, if the processing is carried out in the exercise of public authority or in the performance of a task carried out in the public interest or if it is carried out on the basis of the legitimate interest of the owner; Art. 22 Right to obtain information on the existence of automated decision-making, including profiling.
Art. 7. Instances of the interested parties: how the rights can be exercised
Instances related to the exercise of the rights referred in Art. 6 above may be submitted by the Data Subjects to the Data Controller by registered letter or certified electronic mail to the addresses listed in Art. 1 above.
In all cases, the interested parties must attach their valid identity document to the request.