Privacy Policy pursuant to Articles 13-14 of the GDPR (General Data Protection Regulation) 2016/679

Dear User,

In compliance with the 2016/679 European Regulation (acronym GDPR), INDECO ind. S.p.a. wishes to inform you that the personal data you have provided or that we have acquired in the course of our business, needed to implement the services offered to you, will be treated in compliance with the law on privacy and the principles of correctness, lawfulness, transparency and protection of your privacy and your rights.

In addition, we wish to send you the following information:

1. The data controller and data processor

The data controller and data processor is Indeco Ind Spa, company established at Viale Lindemann 10 – 70132 Bari ZI VAT Code 05949910722, which can be contacted as follows: tel +39 080 531 33 70, e-mail privacy@indeco.it

2. Data processed, purpose and legal basis of the processing

2.1. The computer systems and software used to operate the corporate website www.indeco.it acquire some personal data that are implicitly a consequence of using information protocols on the Internet (for example domain names and IP addresses). These data are not accompanied by additional personal information and are used to obtain anonymous statistical information about the site, to check how it is used and to ascertain any liability in the event of computer crimes. The legal basis legitimizing the processing of such data is the need to make the features of the corporate website usable during access by the User.

2.2. Data provided voluntarily by the User are those which the Data Controller requires in order to provide services and are processed in a lawful and fair manner, and are also collected and recorded for the specific, explicit and legitimate purposes indicated below and are used in processing operations that are not incompatible with such purposes.
Personal data (personal identification data such as name and surname, company name, tax code and VAT number, address, telephone/fax, e-mail, bank and payment details) are collected and processed for the following reasons:

a) to carry out customer relations activities based on pre-contractual and contractual agreements;

b) for administrative, fiscal or internal accounting purposes related to the customer-supplier relationship and to fulfill the obligations generally required of the Data Controller by laws or regulations, by community legislation, at the request of the Judicial Authority or in order to exercise the Data Controller’s rights (for example the right to defence in court);

c) in the presence of specific distinct consent of the User, for the following marketing purposes: to send (via e-mail, post, sms or telephone contact) newsletters, updates on the activities of the Data Controller, advertising material or commercial communications – possibly also customized based on the User’s consumption habits (profiling) – on products or services offered by the Data Controller that the User may consider to be of interest and to determine the degree of satisfaction on the quality of services, including requests for participation in analysis or research market;

c) in the presence of specific distinct consent of the User, for the following marketing purposes: to send (via e-mail, post, sms or telephone contact) newsletters, updates on the activities of the Data Controller, advertising material or commercial communications – possibly also customized based on the User’s consumption habits (profiling) – on products or services offered by third parties such as, for example, business partners or other Indeco Ind Spa Group companies;
d) when sending a curriculum vitae, exclusively for the purposes of selecting personnel and setting up an employment relationship.
The legal basis that legitimizes the processing of the data referred to in points “a” (pre-contractual and contractual agreements) and “b” (administrative, accounting or tax purposes) is the execution of a contract for the provision of services to the User, or the performance of pre-contractual activities at the User’s request.
In the cases expressly indicated in points “c” (marketing and profiling), “d” (marketing and profiling by third parties) and “e” (curriculum vitae) the legal basis is the consent freely given by the User.

2.3. Pursuant to Articles 9 and 10 of the GDPR, the User may entrust the Data Controller with data coming under the heading of “particular categories of personal data” (i.e. data revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, … genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”). These categories of data may only be processed by the Data Controller with the prior consent of the User, expressed in writing by signing this Policy, for contractual requirements and related fulfillment of legal and tax obligations and for personnel selection requirements.

3. Processing methods

The processing of the User’s personal data is carried out by means of: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.
The User’s personal data are collected when sent directly to the Data Controller, by filling in forms designed for such a purpose, even as part of contractual documents, or collected by telephone by the operator in the context of pre-contractual activities. The data shall be processed either manually in paper format or with electronic or automated, computerized and telematic tools. Such data shall be recorded and stored by the Data Controller in computer and paper archives, as well as stored and controlled in such a way as to minimize the risks of destruction or loss, even accidental, unauthorized access and processing that is not permitted or consistent with the purposes for which they were collected.
The data shall be processed by employees or persons working on the Data Controller’s behalf, duly instructed in this regard.

4.Type of data communication

The provision of personal data for processing is optional. However, any partial or total failure to provide such data may make it partly or totally impossible to establish or continue the relationship with the User, where such data are needed for such services.
The provision of data for marketing purposes is also optional. The User may therefore decide not to give any data or to subsequently refuse permission to process data previously provided: in such a case he/she will not be able to receive newsletters, commercial communications and advertising material regarding services offered by the Data Controller.

5. Recipients or categories of recipients of personal data

User data is processed by in-house staff at the Data Controller’s premises (employees, consultants, System Administrators), identified and authorized for processing according to instructions issued in compliance with current legislation on privacy and data security.
If this is required for the purposes listed in Article 2 above, the User’s personal data may be processed by third parties appointed as Data Processors (as per Article 28 of the GDPR) or “independent” Data Controllers, namely:

1. by companies in Gruppo INDECO ind. S.p.a. for the purposes referred to in Article 2.2(d);

2. by professionals, companies, associations or professional firms providing the Data Controller with administrative, accounting, and tax assistance or advice or legal protection or selection of personnel;

3. by all Public Institutes established by law and more generally by all Authorities named by current accounting and tax regulations as recipients of mandatory communications;

4. by banking institutions for collections and payments as well as any professionals – at an individual, associate or corporate level – for analysis and market research services, for the management of payments by credit cards or electronic payment instruments in general, couriers for any debt recovery activities required or for the certification of the Data Controller’s financial statements. The updated list of Data Processors and their representatives shall be kept at the Data Controller’s registered offices.
In any case, the User’s personal data may not be disclosed.

6. Transfer of data to a third country or international organizations

Under the contractual relationship, no User data shall be transferred to third-party countries outside the EU or to international organizations.

7. Retention period for personal data or criteria used to determine this period

For the purposes referred to in points “a” (pre-contractual and contractual agreements) and “b” (administrative, accounting or fiscal compliance) in Article 2.2. the User’s personal data shall be processed and stored by the Data Controller for the entire duration of the contractual relationship between the User and the Data Controller and, on termination thereof for any reason, shall be saved for the required time – for each category of data – by current legislation on accounting, tax, civil law and litigation.
For the purposes referred to in points “c” (marketing and profiling) and “d” (marketing and profiling by third parties) the User’s personal data shall be processed and stored by the Data Controller until revocation of consent by the User or until the User exercises the right to object to the processing or to have his/her personal data deleted.
For the purposes referred to in the letters “e” (curriculum vitae), the User’s personal data may be processed and stored by the Data Controller for a maximum of 12 months from the date of receipt.

8. User rights

In your capacity as Data Subject and in relation to the data processing described in this Policy, you the User shall have the rights set out in Articles 7, 15 to 21 and 77 of the GDPR and, in particular, the:

• right of access – Article 15 GDPR: the right to obtain confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data, including a copy thereof;

• right to rectification – Article 16 GDPR: right to obtain, without undue delay, the rectification of inaccurate personal data concerning the User and/or the right to have incomplete personal data completed;

• right to erasure (right to be forgotten) – Article 17 GDPR: right to obtain, without undue delay, the erasure of personal data concerning the User;

• right to limitation of treatment – Article 18 GDPR: right to obtain the limitation of treatment, when: the interested party disputes the accuracy of personal data, for the period necessary for the Data Controller to verify the accuracy of such data; the processing is illegal and the interested party opposes the cancellation of personal data and asks instead that its use is limited; personal data are necessary for the interested party to ascertain, exercise or defend a right in court; the interested party opposed the treatment pursuant to art. 21 GDPR, in the period of waiting for the verification on the possible prevalence of legitimate reasons of the Data Controller with respect to those of the interested party;

• right to data portability – article 20 GDPR: the right to receive personal data concerning the User, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another Data Controller without hindrance, provided that the processing is based on consent and is carried out by automated means. Furthermore, the User shall have the right to have the personal data transmitted directly from one Data Controller to another, where technically feasible;

• right to object – Article 21 of the GDPR: the right, on grounds relating to the User’s particular situation, to object at any time to the processing of his/her personal data based on the lawfulness of legitimate interest or the execution of an assignment of public interest or the exercise of public powers, including profiling, unless there are legitimate reasons for the Data Controller to continue such processing and that such reasons prevail over the interests, rights and freedoms of the interested party or else for the assessment, exercise or defence of a right in court. Furthermore, the right to object at any time where processing of personal data concerning him or her for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing;

• right to withdraw – GDPR article 7: the User has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;

• right of complaint – Article 77 GDPR: the User has the right to lodge a complaint with the Italian Data Protection Authority, Piazza di Montecitorio 121, 00186, Rome (RM).

9. How to exercise your rights

The User may at any time exercise his/her rights by sending a registered letter to:
INDECO ind. S.p.a. Viale Lindemann 10 – 70132 Bari ZI or a certitied e-mail to indecoind.spa@pec.it.
In order to exercise your rights as set out in this Policy and to receive any information relating thereto, please contact the Data Controller who, also via the designated facilities, will deal with your request and without unjustified delay and in any case no more than one month after receipt thereof, inform you of the action taken in this regard.
Exercise of User rights is free of charge under Article 12 of the GDPR. However, in the case of manifestly unfounded or excessive requests, which may be due to the being repeated, the Data Controller may charge the User a reasonable fee to cover any administrative costs incurred to manage his or her request, or refuse to deal with such a request.