Xacus Srl, (hereinafter referred to as “Xacus” o the “Data Controller”), in its capacity of data controller and in consideration of the importance it recognises to the protection and security of personal data, would like to inform you that pursuant to art. 13 of the Law Decree No. 196, dated 30.6.2003 (hereinafter referred to as the “Privacy Code”) and art. 13 of the EU Regulations No. 2016/679 (hereinafter referred to as the “GDPR”) that your data will processed according to the methods and for the purposes detailed below.
1. Identity and contact details of the Data Controller and Data Protection Officer
The Data Controller is Xacus Srl, with registered office in Via J.F. Kennedy24, San Vito di Leguzzano (VI), Italy (hereinafter, the "Data Controller").
The Data Protection Officer is Eurostep Srl, domiciled for the task at the registered office in Via Feltrina Sud, 192, 31044 Montebelluna (TV), VAT 03896260241, email firstname.lastname@example.org (hereinafter the "DPO").
2. Subject Matter of the Processing
The Data Controller processes the personal and identification data (for example: first name, surname, company name, address, telephone number, email address, banking details and payment information - hereinafter the “Data”) that you disclose upon signature of the contract and any other services that you may request to the Data Controller. Health and Judicial Data will not be processed except for those that you may voluntarily provide us, fully aware that provision of such data is not mandatory to carry out the services that you request from us.
3. Purposes of the processing
Your personal data are processed:
A) without your expressed consent (art. 24 letters a), b), and c) of the Privacy Code and art. 6 letter b), e) GDPR), for the following service purposes:
- provide the services you have requested to the Data Controller for the provision of: e-commerce, integrated marketing, world wide operations, and omni-channel customer experience services;
- meet the obligations established by the law (administrative, accounting, and fiscal obligations), by regulations, by EU directives or by an order of the Data Protection Authority;
- exercise the rights of the Data Controller, for example the right to defence in legal proceedings;
B) Only upon your specific and separate approval (art. 23 and 130 of the Privacy Code and art. 7 of the GDPR), for the following Marketing purposes:
- contact you by e-mail, snail mail and/or sms and/or phone to submit newsletters, marketing communications and/or advertising material about services and special offers.
4. Method of processing
The Processing of your personal data is performed through the operations detailed in art. 4 of the Privacy Code and art. 4 No. 2) GDPR and more specifically: collecting, registering, organising, storing, consulting, processing, amending, selecting, extracting, comparing, using, interconnecting, blocking, communicating, erasing and destroying the data. Your personal data will be subjected to paper and digital processing. The data will be processed and stored in our IT systems. The Data Controller will process your personal data for the time necessary to achieve the purposes detailed above and, however, for no longer than 10 years from the termination of the relationship for administrative purposes and no longer than 1 year from the data collection for Marketing purposes.
5. Access to the data
Your data may be accessible for the purposes referred to in articles 2.A) and 2.B):
- to employees and contractors of the Data Controller in their capacity of persons in charge and/or in-house Data Protection Officers and/or system administrators;
- to third party companies or other subjects (only by way of example but not limited to: credit institutions, professional firms, insurance consultants etc.) that carry out outsourcing activities in the role of external persons in charge of the processing.
6. Data Communication
Without the need for expressed consent (pursuant to art. 24 letters a), b), and d) of the Privacy Code and art. 6 letter b) and c) GDPR), the Data Controller shall disclose your data for the purposes detailed in art. 2.A) to the Data Protection Authority if it specifically so requests as well as to those entities to which disclosure is mandatory by law for the carrying out of the aforementioned purposes. These parties will process the data in their capacity of independent data controllers. Your data will not be disseminated.
7. Data transfer
Your personal data are stored in our IT system and for the storing of data servers located both in Italy and other European countries will be used. In any case, it is understood that the Data Controller, if necessary, shall have the right to move servers also outside the EU. In this case, the Data Controller hereby guarantees that the transfer of the data outside the EU will take place in accordance with the applicable legal provisions, and after signing the standard contractual clauses required by the European Commission.
8. Nature of data provision and consequences of refusal to provide the data
The provision of data for the purposes referred to in article 2.A) is mandatory. In their absence, we cannot guarantee the Services as specified in article 2.A)
9. Rights of the interested party
In your capacity of interested party, you shall have the rights referred to in Article 7 of the Privacy Code and articles 15 of the GDPR and specifically the right to:
i. obtain confirmation of the existence or non-existence of your personal data, even if not yet recorded, and their communication in an intelligible form;
ii. obtain information on: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the case of processing performed with the support of electronic tools; d) the identification data of the data controller, data protection officer and person in charge appointed pursuant to article 5, paragraph 2 of the Privacy Code and article 3, paragraph 1, of the GDPR; e) the subjects or categories of subjects that may become aware of the personal data as appointed representatives in the state territory, as managers or persons in charge;
iii. obtain: a) the updating, rectification or, when interested, integration of the data; b) the erasure, transformation into anonymous form or blocking of data unlawfully processed, including data whose storage is unnecessary for the purposes for which the data were collected or subsequently processed; c) confirmation that the operations referred to in letters a) and b) were notified also concerning their content, to those parties to which the data were communicated, except in the case where such fulfilment is not feasible or involves the use of means manifestly disproportionate compared to the right protected;
iv. oppose, in full or in part: a) for legitimate reasons the processing of your personal data as long as it is related to the purpose of the collection; b) the processing of your personal data for the purpose of sending advertising material. It should be noted that the right to oppose the data processing specified in the previous point b), for purposes of direct marketing through automated means extends to the traditional ones and in any case without prejudice to the possibility of the interested party to exercise said right even just in part. Therefore, the interested party may elect to receive only communications through traditional means or only automated communications or none of the two.
Where applicable, you shall also have the rights established in articles 16-21 of the GDPR (right to the correction of the data, the right to be forgotten, the right to limit the processing, the right to the portability of the data, the right to object), as well as the right to lodge a complaint with the Data Protection Authority. Please, also note that you shall promptly notify any updates to your data by email and/or registered letter with notification of receipt.
10. Methods for exercising the rights
You may at any time exercise your rights by sending:
- a registered letter with notification of receipt to: Eurostep Srl, Via Feltrina Sud, 192 - 31044 Montebelluna (TV)
- an e-mail to: email@example.com
Please, note that for the protection of your personal data, Eurostep Srl has appointed as Data Protection Officer Ms. Monica Del Toro who may be contacted at 348.9294312 or to the email address privacyeurostep.it