EXTENDED INFORMATION NOTICE PURSUANT TO ARTICLES 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)The Data Controller provides below the Information Notice pursuant to Articles 12, 13 and, where applicable, 14 of the GDPR regarding the processing of personal data provided by the Customer/data subject through the completion and signing of the Contract to purchase the products/services offered for sale by the Data Controller, by voluntarily uploading personal data on this website (in particular through the completion of forms) or simply by browsing it.

1. Data Controller and contact details The Data Controller is N&N SRL, with registered office at VIA CASTELMARALDO 36 41121 MODENA (MO), VAT No. 03944300361, tel. +39 347 7744 218, e-mail [email protected], web _____ (hereinafter the Website).

2. Principles applicable to processing

In accordance with the GDPR, the Data Controller constantly ensures that personal data are:

1. processed lawfully, fairly and transparently;
2. collected for specified, explicit and legitimate purposes, and not further processed in a way that is incompatible with those purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date;
5. kept for no longer than is necessary for the purposes for which they are processed;
6. processed, using appropriate technical and organizational measures, in a manner that ensures their security;
7. processed, where based on consent, by a decision freely made by the Customer/data subject, on the basis of a request presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.

The Data Controller adopts appropriate technical and organizational measures to ensure the protection of personal data by design and to guarantee that, by default, only data necessary for each specific processing purpose are processed.

The Data Controller collects and gives the utmost consideration to indications, observations and opinions of the Customer/data subject sent to the contact details indicated above, in order to implement a dynamic privacy management system that ensures effective protection of individuals with regard to the processing of their data.

This Information Notice may be amended in line with the evolution of the applicable legislation and the technical and organizational measures adopted by the Data Controller; therefore, the Customer/data subject is invited to periodically visit this section of the Website to view updates and the version of the Information Notice in force from time to time.

3. Methods of processing personal dataPersonal data are processed manually and by electronic means, using methods strictly related to the purposes indicated below and, in any case, in such a way as to ensure the security and confidentiality of the data.

4. Purposes of processing personal data

(4a) Purposes for which processing is necessaryPersonal data provided by the Customer/data subject are primarily processed for the performance of the Contract and the management of credit and, more generally, of the relationship arising from the Contract itself.

The provision of data in the Contract or subsequently, during the contractual relationship, for the aforementioned processing purposes is mandatory; therefore, failure to provide, partial or inaccurate provision of such data makes it impossible to conclude and/or perform the Contract and, for the Customer/data subject, to use the products/services offered by the Data Controller, potentially exposing the Customer/data subject to liability for breach of contract.

Personal data provided by the Customer/data subject may also be processed if this is necessary to comply with a legal obligation to which the Data Controller is subject, to protect the vital interests of the Customer/data subject or of another natural person, to perform a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or for the purposes of the legitimate interests pursued by the Data Controller or by third parties, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the Customer/data subject; in these cases too, the provision of data is mandatory and, therefore, failure to provide, partial or inaccurate communication of the data may expose the Customer/data subject to any liabilities and sanctions provided for by the legal system.

(4b) Additional processing purposes following the specific and express consent of the Customer/data subjectIn addition to the processing purposes set out above, the personal data provided/acquired may also be processed, with the prior consent of the Customer/data subject—expressed by selecting the «I Consent» box in the Contract or on the Website (or using other social or web applications of the Data Controller)—for conducting market research and for making commercial and promotional communications, by telephone (including using the mobile number provided) and automated means of contact (e-mail, SMS, MMS, fax, etc.), regarding products/services of the Data Controller or of companies of the Group to which the Data Controller may belong.

Consent for the processing purposes referred to in this point (4b) is optional; therefore, if consent is denied, the data will be processed solely for the purposes indicated in the previous point (4a), without prejudice to what is specified below with reference to the legitimate interests of the Data Controller or of third parties.

5. Categories of personal data processedThe Data Controller mainly processes identification/contact data (name, surname, addresses, type and number of identification documents, telephone numbers, e-mail addresses, tax/billing data, among others) and, where commercial transactions are envisaged, financial data (bank details, in particular current account identifiers, credit card numbers, among others connected to the aforementioned commercial transactions).

The processing carried out by the Data Controller, both for the performance of the Contract and on the basis of the express consent of the Customer/data subject, generally does not concern special categories of personal data, known as sensitive data (revealing racial or ethnic origin, political opinions, religious beliefs, health status or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (relating to criminal convictions and offences).

However, it cannot be ruled out that the Data Controller, in order to fulfill the obligations arising from the Contract, may need to retain and/or process sensitive, genetic and biometric or judicial data of the Customer/data subject or of third parties, of which the Customer/data subject is the data controller; in such a case, processing by the Data Controller takes place on the basis, under the conditions and within the limits of the Customer/data subject’s appointment of the Data Controller as data processor.

The Data Controller also processes, as data controller with reference to the Website, and potentially as data processor appointed for this purpose (as described above) by the Customer/data subject, so-called browsing data. The computer systems and software procedures used to operate websites acquire, during their normal operation, certain personal data whose transmission is implicit in the use of internet communication protocols. This is information not collected to be associated with identified data subjects but which, by its very nature, could allow users to be identified. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and addresses of websites from which access or exit was made, information on pages visited by users within the site, access time, time spent on individual pages, internal path analysis and other parameters relating to the user’s operating system and computer environment. By their very nature, such information, through processing and association with data held by third parties, may make it possible to identify users.

The Website may also use cookies, both session cookies (which are not stored on the data subject’s computer and disappear when the browser is closed) and persistent cookies, for the transmission of information of a personal nature, or in any case systems for tracking data subjects.

 

6. Source of personal dataThe personal data processed by the Data Controller are collected directly by the Data Controller from the Customer/data subject at the time of, and during, his/her browsing on the Website (or when using other social or web applications of the Data Controller), or, also through its sales representatives, at the time of, or after, the signing of the Contract, during its performance, or from public sources.

As specified above, the Data Controller, as data processor appointed for this purpose, in order to perform the obligations arising from the Contract, may retain and/or process data—particularly browsing data—potentially including sensitive, genetic and biometric or judicial data, of third parties of which the Customer/data subject is the data controller, acquired, with the prior consent of such third parties, at the time of, and during, their browsing on the Website (or using other social or web applications pertaining to the Data Controller).

 

7. Legitimate interestsThe legitimate interests of the Data Controller or of third parties may constitute a valid legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject do not prevail. In general, such legitimate interests may exist where there is a relevant and appropriate relationship between the Data Controller and the data subject, for example where the data subject is a customer of the Data Controller. In particular, it is a legitimate interest of the Data Controller to process personal data of the Customer/data subject: for the purposes of fraud prevention, for direct marketing purposes, to ensure the free circulation of such data within the business group to which the Data Controller may belong, or data relating to traffic, in order to ensure network and information security, i.e., the ability of a network or system to withstand unforeseen events or unlawful acts that may compromise the availability, authenticity, integrity and confidentiality of data.

8. Circulation of personal data

(8a) Disclosure of personal data – categories of recipientsIn addition to employees and collaborators of the Data Controller (who are authorized by the Data Controller to process data on the basis of appropriate written operating instructions, in order to ensure confidentiality and data security), certain processing operations may also be carried out by third parties to whom the Data Controller entrusts certain activities, or parts thereof, functional to the purposes referred to in point (4a), therefore both in performance of contractual and legal obligations, including but not limited to: commercial and/or technical partners; companies providing banking and financial services; companies providing document archiving services; debt collection companies; auditing and financial statement certification firms; rating agencies; entities providing professional assistance and consultancy to the Data Controller; customer care companies; factoring companies, securitization companies or, in any case, assignees of receivables; companies of the group to which the Data Controller may belong; providers of commercial information; IT service companies. The entities belonging to the aforementioned categories process the personal data as independent data controllers, or as data processors, with reference to specific processing operations included in the contractual services they perform for/in the interest of the Data Controller; the Data Controller provides the processors with appropriate written operating instructions, with particular reference to the adoption of minimum security measures, in order to guarantee the confidentiality and security of the data.

Some processing operations may also be carried out by third parties to whom the Data Controller entrusts certain activities, or parts thereof, also functionally to the purposes referred to in point (4b), including but not limited to: commercial and/or technical partners; companies that institutionally provide marketing services; advertising agencies; entities providing assistance and consultancy in relation to prize contests and promotions. The entities belonging to the aforementioned categories process personal data as independent data controllers or as data processors, with reference to specific processing operations included in the contractual services they perform for/in the interest of the Data Controller; the Data Controller provides the processors with appropriate written operating instructions, with particular reference to the adoption of minimum security measures, in order to guarantee the confidentiality and security of the data.

The list—subject to periodic updates—of the data processors with whom the Data Controller has relationships is available upon written request to the Data Controller’s registered office.

Personal data may also be disclosed, upon request, to the competent authorities, in fulfillment of obligations arising from mandatory legal provisions.

(8b) Transfer of personal data to third countriesThe personal data of the Customer/data subject may also be transferred abroad, both to countries of the European Union and to countries outside the European Union and, in the latter case, either on the basis of an adequacy decision, or within and with the appropriate safeguards provided for by the GDPR (thus, in particular, in the presence of standard contractual clauses approved by the European Commission), or, outside the aforementioned cases, by relying on one or more of the derogations provided for by the GDPR (in particular, on the basis of the explicit consent of the Customer/data subject, or for the performance of the Contract concluded by the Customer/data subject, or for the performance of a contract concluded between the Data Controller and another natural or legal person for the benefit of the Customer/data subject, specifically for the performance of activities entrusted to the latter by the Data Controller for the performance of the Contract concluded with the Customer/data subject). In the event of transfers of data to countries outside the European Union, the Customer/data subject may, upon written request sent to the Data Controller’s registered office, learn of the appropriate safeguards or the derogations that legitimize the cross-border processing. It is understood that, in the event of transfer of data to countries outside the European Union, for any request concerning the data, including for the exercise of the rights recognized by the GDPR to the Customer/data subject, the latter may always validly contact the Data Controller.

 

9. Criteria for determining the personal data retention periodFor the purposes referred to in point (4a) above, the period of retention of the personal data provided by the Customer/data subject, and their consequent potential processing, coincides with the limitation period for the rights/duties (legal, tax, etc.) arising from the Contract: typically 10 years, therefore, unless events interrupting the limitation period occur which could, in fact, extend said period.

For the purposes referred to in point (4b) above, the period of retention of the data provided by the Customer/data subject, and their consequent potential processing, ends with the withdrawal of the consent previously given by the Customer/data subject or, in the absence thereof, in any case one year after the termination of any relationship between the Data Controller and the Customer/data subject.

10. Rights of the Customer/data subjectThe Data Controller recognizes—and facilitates the exercise by the Customer/data subject of—all the rights provided by the GDPR, in particular the right to request access to his/her personal data and obtain a copy (Art. 15 GDPR), rectification (Art. 16 GDPR) and erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR, where applicable) and to object to processing (Arts. 21 and 22 GDPR, in the cases mentioned therein and, in particular, to processing for marketing purposes or that results in automated decision-making, including profiling, which produces legal effects concerning him/her, where applicable).

The Data Controller also recognizes to the Customer/data subject, where processing is based on consent, the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To do so, the Customer/data subject may unsubscribe at any time on the Website (or on other social or web applications of the Data Controller) or by using the appropriate link at the bottom of each commercial communication received, or by contacting the Data Controller at the contact details indicated above.

The Data Controller further informs the Customer/data subject of the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), as the supervisory authority operating in Italy, and to seek judicial remedy both against a decision of the Authority and against the Data Controller and/or a data processor.

11. Security of systems and personal dataTaking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of processing, and the risk, of varying likelihood and severity, to the rights and freedoms of natural persons, the Data Controller adopts technical and organizational measures deemed appropriate to ensure a level of security appropriate to the risk, in particular ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services (including through encryption of personal data, where necessary) and the ability to promptly restore the availability of data in the event of a physical or technical incident, and adopting internal procedures aimed at regularly testing, verifying and evaluating the effectiveness of the technical and organizational measures employed.

In assessing the appropriate level of security, account is taken of the risks presented by processing that arise, in particular, from the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidental or unlawful.

The Data Controller endeavors to ensure that anyone acting under its authority and having access to personal data does not process such data unless instructed to do so by the Data Controller.

That said, the Customer/data subject acknowledges and accepts that no security system can guarantee absolute protection; therefore, the Data Controller is not liable for acts or events of third parties who unlawfully, despite the appropriate precautions adopted, access the systems without due authorization.

12. Automated decision-making, including profilingThe Data Controller may carry out automated processing, including profiling, in relation to the purposes referred to in point (4b) above, to optimize the navigability of the Website (or the usability of other social or web applications of the Data Controller) and to improve the purchasing experience, without prejudice to the rights of objection and withdrawal of consent by the Customer/data subject as specified above.

Profiling means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning, for example, personal preferences, interests or location of that person, also for the purpose of creating profiles or homogeneous groups of subjects by characteristics, interests or behaviors.

The Data Controller does not carry out any automated processing that produces legal effects concerning the Customer/data subject or similarly significantly affects him/her, unless this is necessary for the conclusion or performance of the Contract, is authorized by law or is based on the explicit consent of the Customer/data subject, in any case always recognizing the latter’s right to obtain human intervention, to express his/her opinion and to contest the decision.