Subject: Privacy Policy on the processing of personal data

Pursuant to the current legislation on the processing of personal data (Regulation (EU) 2016/679 and Leg. Decree 196/03, as amended by Leg. Decree 101/2018), data provided regarding the data subject (also in the case of data subjects operating as sole traders, small businesses, or professionals) or its employees, agents, representatives and collaborators (hereinafter the “Data”), will be processed in accordance with the provisions of the current applicable privacy legislation; in any case, Data is processed in such a way as to ensure the safety of said data, and in line with the principles of fairness, lawfulness and confidentiality provided for by law (art. 5 of Regulation (EU) 2016/679 – hereinafter the “GDPR”).

Data Controller

The Data Controller, pursuant to art. 4 of the GDPR, is Anci Servizi S.r.l. a Socio Unico, with registered offices in Milan, Via Alberto Riva Villasanta 3, with operating premises in Vigevano, C.so Brodolini 19 and Via Aguzzafame 60/B. To contact the Data Controller, simply send an e-mail to info@cimac.it or call either +39.0381.84722 or +39.02.438291. The Data Controller has appointed a DPO, who can also be contacted as above.

Purpose of the Privacy Policy

As required by art. 12 of the GDPR, the Data Controller has adopted this Privacy Policy to provide the information set forth in art. 13 of the GDPR and the communications set forth in artt. 15 to 22 and 34 of the GDPR relating to the processing of the data you supply to execute the contract.

This is a general Privacy Policy provided to data subjects (customers / suppliers). The Data Controller has prepared specific Privacy Policies relating to specific cases of data processing, which are supplied directly to the data subject at the start of the relationship.

Processing purposes

Data is processed, in line with the principles of lawfulness provided for under art. 6 of the GDPR, for purposes relating to the relationship established with the Data Controller; therefore, data processing is legally justified, as required by art. 13 c) of the GDPR, by the purposes for which the relationship is established with the Data Controller, i.e. the execution of the contract between the parties.

Processing methods and storage of data

Given the above purposes, the processing of data supplied to the Data Controller will include activities that are necessary for the proper execution of the provisions of the commercial agreement, such as, inter alia: the management, organisation, storage and creation of a database, consultation, archiving, communication of initiatives, processing for administrative-accounting purposes, emailing soft spam, the production of statistics, the use, destruction and rectification of data processed following the data subject’s notification.

Providing your data is optional. However, failure to provide same may prevent the execution of the obligations arising from the contract between the parties. Therefore, in the case of pursuing the commercial relationship, the processing of any personal data supplied (also in the name, on behalf and in the interest of employees and/or consultants, collaborators and agents) shall in any case be deemed authorised pursuant to art. 6, para. 1 b) of the GDPR.

Should the Data Controller intend to process personal data for a purpose other than that for which it was collected, the data subject will be provided in advance with information on this new purpose and all other pertinent information, and the Data Controller will seek his or her prior consent.

Data will be processed in paper form and/or electronically by parties specially authorised to do so. Data processed for accounting and/or administrative purposes will be stored for 10 years, as will any data processed for the CE/EU certification of PPE; for all other purposes, the storage period shall in no case be more than 10 years.

Scope of communication and dissemination

Processing includes communication of data to members of the Data Controller’s organisational structure, i.e. to its consultants entrusted with managing the business, in order to fulfil the established trade relationship. Moreover, it should be noted that the data collected and subsequently processed will be communicated and hence made available to the DPO for accounting and/or administrative purposes and in any case to related parties in order to ensure the correct execution of the existing contract, as well as to the Ministry of Economic Development and the Ministry of Labour as regards the CE certification of Personal Protective Equipment (PPE).

The data collected will not be disseminated.

Transferral of personal data

Processing will include the use of data supplied both within and outside the EU, but only in the countries set forth in artt. 45 and 46 of the GDPR.

Special categories of personal data

The Data Controller reminds the data subject that the personal data requested and supplied does not fall under the categories of personal data listed in artt. 9 and 10 of the GDPR.

Existence of automated decision-making, including profiling.

The Data Controller does not process data on the basis of automated decision-making processes or for profiling purposes.

Rights of the data subject and limitations

The Data Controller also informs you that the following rights are guaranteed under art. 13, para. 2, of the GDPR:

The Data Controller informs you that the rights listed in and guaranteed by artt. 15-22 of the GDPR may not be exercised by submitting a request to the Data Controller or by lodging a complaint under art. 77 of the GDPR if exercising same could cause real, concrete injury to certain data categories and/or to certain activities as listed in art. 2-undecies of Leg. Decree 196/03, as harmonised by Leg. Decree 101/2018; this does not prejudice the provisions, specified in paragraphs 2 and 3 of the aforementioned article, in terms of limitations, exclusions or delays in exercising rights.

The exercising of rights

To exercise the rights listed above, simply e-mail info@cimac.it, stating the wording “Exercising of rights under the GDPR” in the subject line and specifying the right that you wish to exercise in the body of the email, along with your name, surname and the email address where you wish to receive a reply from Anci Servizi s.r.l. Once your request has been processed, the Data Controller will send its feedback in the terms set forth in art. 12, point 3, of the GDPR.

For more information on the processing of personal data by the Data Controller, please read the privacy policy found in the website footer.