Disclosure of the processing of personal data of the interested parties

PURSUANT TO EU REGULATION No 2016/679 (‘GDPR’)

DATA CONTROLLER
  • Company Name: Lekkerland Italia S.C. a R.L.
  • Address: Milanofiori – Strada 1 Palazzo F2 20057 Assago (MI)
  • phone number: +39 (02) 82.43.451
  • e-mail address: gdpr@lekkerland.it
TYPE OF DATA, PURPOSE OF PROCESSING

The collection and treatment will be carried out on the following types of data:

  • identification data: name, surname, tax code, etc.
  • contact details: telephone number, e-mail, address, etc.
  • bank details: IBAN, credit card number, etc.
  • special categories of data (already sensitive data): data revealing racial or ethnic origin, political opinions, religious or philosophical conventions, trade union membership, genetic data, biometric data uniquely identifying a natural person, data concerning health or sex life or sexual orientation
  • data relating to criminal convictions and offenses (already judicial data): Personal data relating to the criminal record, the registry of administrative sanctions dependent on crime and related charges pending, or the status of defendant or suspect under Articles 60 and 61 of the Code of Criminal Procedure; or personal data relating to criminal convictions and offenses or related security, safety measures

For the following purposes:

  1. Establishment and execution of the contractual relationship
  2. Fulfillment of obligations under regulations and applicable legislation
  3. If necessary, to ascertain, exercise, or defend the Owner’s rights in or out of court.
LEGAL BASIS OF THE PROCESSING

The legal bases for the applicable treatment identified by GDPR are:

  • Execution of a contract to which you are a party
  • Need to comply with legal obligations
  • The legitimate interest of the Holder for a better organization of the work activity
DATA RETENTION OR THE CRITERIA USED TO ESTABLISH THIS PERIOD

The period of data retention shall be determined in the following periods:

  • 10 years after termination of contract/relationship
  • In the event of litigation for the duration of the litigation and the time limits for appealing

Once the above-mentioned storage terms have expired, the data will be destroyed, deleted, or made anonymous, compatibly with the state of the art.

PROVISION OF DATA

The provision of data for the purposes referred to in letters a), b) and c) above are mandatory. In case of failure to provide data, it will not be possible to proceed with the contractual relationship.

THIRD-PARTY RECIPIENTS OF THE DATA

The data can be transmitted to subjects other than the holder, even autonomous holders. The data may also be transmitted to parties who process them on behalf of the Company as Data Processors based on a legally binding data protection agreement.

Categories of subjects, e.g:

  1. IT suppliers (e.g. data back-up services, e-mail, WEB/cloud computing, hosting, network monitoring, e-mail sending, website maintenance, etc.)
  2. consultants (e.g. payroll, competent doctor, workplace safety, professionals, etc.)
  3. supervisory and control authorities and bodies, public or private entities having the right to request data
AUTHORIZED SUBJECTS TO PROCESS PERSONAL DATA

The data may be processed by workers in relation to their job, expressly authorized and adequately instructed in the processing.

TRANSFER OF DATA TO THIRD COUNTRIES (EXTRA EU/EEA)

The servers we use are located within the European Union.

The Data Controller, where necessary, transfers data abroad to non-European countries.

In this case, the Data Controller hereby ensures that the transfer of data outside the EU will take place in accordance with the applicable legal provisions.

Specifically, the data will be transferred abroad to non-European countries, only if the level of data protection of the Third Country has been deemed adequate by the European Commission pursuant to art. 45 of GDPR or after the adoption of adequate guarantees pursuant to art. 46, 2, letter c) and d) GDPR (binding corporate clauses, standard contractual clauses, code of conduct, certification mechanism).

In the absence of an adequacy decision, the transfer of data may be made in the presence of one of the exceptions provided for in Article 49 of the GDPR (e.g. consent, transfer necessary for contractual or pre-contractual purposes concerning a contract entered into with the data subject or in their favor, verification, exercise or defense of a right in court, etc.).

DATA SUBJECT’S RIGHTS – RIGHT TO LODGE A COMPLAINT WITH THE COMPETENT SUPERVISORY AUTHORITY

The persons concerned have the following rights:

  1. right of access:
    • to know whether data are being processed, for which purposes, on which data, recipients or categories of recipients to whom the personal data have been or will be disclosed, when possible, the period of retention of personal data envisaged or, if that is not possible, the criteria used to determine that period, what are the data subject’s rights, information on their source, whether an automated decision-making process is taking place, including profiling (at least in such cases with significant information on the logic used, the importance and consequences of that process), what are the appropriate safeguards if the data are transferred to a country m
    • To obtain a copy of the personal data being processed without infringing the rights and freedoms of others
  2. Correction of inaccurate data and integration taking into account the purposes of the processing,
  3. deletion in the following cases: : a) personal data are no longer necessary concerning the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent if there is no other legal basis for the processing; c) the data subject opposes the processing in the absence of rights or obligations to the contrary prevailing; d) the personal data have been processed unlawfully; e) there is a legal obligation to do so on the part of the Data Controller; e) the personal data have been collected concerning the offer of services on the Internet
  4. llimitation to the processing for contesting the accuracy of the data, for unlawful processing because excessive, for ascertaining, exercising or defending a right in court (even if the owner no longer needs the data), in case of opposition (pending verification of the existence of this right in practice)
  5. opposition (in the case of processing necessary for the performance of a task in the public interest or the legitimate interest of the Controller, including profiling) on grounds related to the particular situation of the data subject, except where other public interest rights or legal obligations prevail
  6. opposition to the receipt of commercial communications by automated means (e-mail, etc.) for processing for direct marketing purposes, including profiling
  7. portability of data in a common and interoperable electronic format, also directly to another operator if technically possible, in case of processing with automated tools

In the cases referred to in points (b), (c), and (d), the controller shall inform each recipient to whom the personal data have been supplied of any rectification, erasure, or restriction of processing carried out unless this proves impossible or involves a disproportionate effort.

In order to exercise his or her rights, the interested party may contact the Data Controller using the contact details provided in this notice.

The persons concerned shall have the right to lodge a complaint with the competent supervisory authority in the Member State where they habitually reside or work or in the State where the alleged infringement has occurred.
LAST UPDATE: 23 AUGUST 2019