Studio Volpi S.r.l., a company operating in the provision of design services, realization of products and prototypes and engineering of industrial processes, for years has considered of fundamental importance the protection of personal data of its Users ensuring that the processing of personal data, carried out by any means, both automated and manual, takes place in a form and manner appropriate to ensure the Users’ rights.
In view of the entry into force of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data (hereinafter referred to as the “Regulation”) and other applicable rules on the protection of personal data, Studio Volpi has deemed it appropriate to reaffirm its commitment to the protection of privacy, embracing and sharing the principles set out in said legislation, drawing up, among other things, a simple and intuitive but, at the same time, appropriately detailed and comprehensive policy.
The term “Personal Data” refers to the definition contained in Article 4, no. 1 of the Regulation, i.e. “ any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ” (hereinafter referred to as “Personal Data”).
The Regulation provides that, before proceeding with the processing of Personal Data –by this term shall mean, according to the definition contained in Article 4, n. 2 of the Regulation, “ any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction ” (hereinafter the “Processing”) – it is necessary that the person to whom such Personal Data belongs be informed about the purposes for which they are requested and how they will be used.
This policy, drawn up on the basis of the principle of transparency and all the elements required by Article 13 of the Regulation, is divided into sections (hereinafter “Sections” and individually “Section”) each of which deals with a specific subject in order to make reading faster and easier to understand (hereinafter the “Policy”).
A - Data Controller
The company that will process the Personal Data for the purposes referred to in Section B of this Policy and that, therefore, will be considered as Data Controller according to the definition contained in Article 4, no. 7 of the Regulation, will be:
- Studio Volpi S.r.l. (VAT no. IT02274080122), with legal headquarters at 21013 - Gallarate (VA), Italy, Via Ronchetti, no. 2 and operational headquarters at 21040 - Carnago (VA), Italy, Via G. Matteotti, no. 17b, Commercial Registry of Varese, R.E.A. no. VA-243127 (hereinafter the “Data Controller”).
The data processing will take place at the legal and operational headquarters of the Data Controller.
The Data Controller, for some processing operations as identified in Section B below, will be joined by the company Quarry Up S.r.l. (VAT no. IT03543990125), with legal headquarters at 21013 - Gallarate (VA), Italy, Via Ronchetti, no. 2, which will act as joint controller of the processing, meaning for this “ two or more controllers jointly determine the purposes and means of processing ” as provided for in article 26 of the Regulation.
B - Purposes of the processing
1. Purposes of law and necessary contractual purposes - processing necessary to comply with a contractual or legal obligation to which the Data Controller is subject or to execute a specific request of the User: personal data may be processed, without the need for the User's consent, in cases where this is necessary to comply with obligations arising from provisions of national and European laws. Furthermore, personal data may be processed in response to requests from administrative or judicial authorities and, more generally, from public entities in compliance with legal obligations. Personal Data will also be processed for purposes related to the establishment, execution and proper management of the contract. Such data – the provision of which is necessary for the operational, economic and administrative execution of the service – will also be processed by electronic means, recorded in special databases, and used strictly and exclusively within the contractual relationship in place. Since the communication of data for the aforementioned purposes is necessary in order to maintain and provide all services related to the contract, failure to deliver will make it impossible to provide the specific services.
2. Administrative-accounting purposes: for the purposes of applying the provisions on the protection of personal data, the processing operations carried out for administrative-accounting purposes are those related to the performance of activities of an organisational, administrative, financial and accounting nature, regardless of the nature of the data processed. In particular, these purposes are pursued by internal organizational activities, those functional to the fulfillment of contractual and pre-contractual obligations, the keeping of accounts and the application of tax regulations.
3. Commercial and marketing purposes: Personal Data may be processed for promotional and marketing purposes, including the sending of communications containing advertising, information, promotional material, it being understood that the User may, at the time of assignment and at any time thereafter, request not to allow such processing.
4. Defense of a right in court: Personal Data will be processed at any time when it is necessary to ascertain, exercise or defend a right of the Controller.
5. Legitimate interest of the Controller: the Controller may process, without the User's consent, Personal Data in the case of extraordinary operations of merger, transfer of business unit, in order to allow the implementation of the operations necessary for due diligence and preliminary to the transfer. It is understood that the data exclusively necessary for the above purposes will be processed, in the most aggregate/anonymous form possible.
C - Legal basis of the Processing
The Data Controller shall process the Personal Data relating to the User in the event that one of the following conditions is met:
- the User has given his/her consent for one or more specific purposes (purposes referred to in Section B, no. 3);
- the processing is necessary for the execution of a contract with the User and/or for the execution of pre-contractual measures (purposes referred to in no. 1 and 2 of Section B);
- the processing is necessary to fulfil a legal obligation to which the Data Controller is subject (purposes referred to in no. 1 and 2 of Section B);
- the processing is necessary for the defence of a right in court (purpose referred to in paragraph 4 of Section B);
- the processing is necessary for the pursuit of the legitimate interest of the Data Controller or of a third party (purpose referred to in Section B, no. 5).
However, it is always possible to ask the Data Controller to clarify the concrete legal basis of each processing operation.
D - Methods of processing and storage of data
The processing will be carried out in a lawful, correct and transparent manner, in automated and manual form, with methods and tools designed to ensure maximum security and confidentiality, for specific, explicit and legitimate purposes, by persons appointed as Data Controllers and employees pursuant to EU Regulation 2016/679, in compliance with laws, regulations, provisions and general authorizations. The data will be kept for a period not exceeding that necessary for the purposes for which the data were collected and subsequently processed and in any case in accordance with the contractual or commercial relationship in place.
E - Purposes of communication and dissemination of data
Personal Data may be communicated to companies contractually linked to the Data Controller and, where necessary, also to subjects inside and outside the European Union, in accordance with EU Regulation 2016/679.
The data may be communicated to third parties belonging to the following categories:
- subjects who provide services for the management of the information system used by the Data Controller and the telecommunications networks, and who take care of the maintenance of the IT area (including e-mail and the newsletter service);
- freelancers, studios or companies in the context of assistance and consulting relationships;
- subjects who carry out checks, audits and certification of the activities carried out by the Data Controller;
- competent authorities to fulfil legal obligations and/or provisions of public entities, upon request.
The subjects belonging to the above categories will act as Data Processor or operate in total autonomy as separate Data Controllers. The list of Data Processors is constantly updated and available at the legal headquarters of the Data Controller.
The data processed in application of corporate security procedures are not subject to communication, except in the event of an express and specific request by the competent judicial and public authorities.
In addition, in the course of ordinary processing activities, the Personal Data may be accessed and then disclosed to the persons expressly designated by the Controller as Data Processors and/or Data Handlers, authorized according to their respective profiles.
F - Data transfer abroad
Personal Data may also be transferred outside the European Union to companies and/or entities that are part of the Company, subsidiaries, parent companies or affiliates, located abroad (in Europe and outside Europe) and to the subjects appointed by them to process the data. In this case Studio Volpi will take all necessary security measures to properly protect such Personal Data. Consequently, any transfer of Personal Data to countries outside the European Union will take place in compliance with appropriate guarantees, such as contractual clauses for data protection, pursuant to EU Regulation 2016/679.
G - Security measures
Studio Volpi, in order to achieve the highest standard of security against unauthorized access to Personal Data provided by the User, has adopted and implemented (i) specific policies regarding the management of passwords, computer documents and paper files; ( ii) appropriate technological tools to suppress and prevent violations of its computer systems, such as the use of a data encryption system, firewall hardware and software; ( iii) a management software produced by Zucchetti S.p.A. of proven safety and reliability (iv) internal and external IT personnel, with the necessary skills to intervene in the event of a breach of the systems and able to maintain the company's technological tools in order to ensure their operation to the highest standards; (v) archives for paper files protected by access keys and alarm system.
The User may obtain information about the security measures adopted by the Data Controller through the methods described in Section I below.
H - Nature of provision and refusal
With regard to the data necessary and essential for the fulfillment of obligations arising from existing contracts and obligations under laws, regulations, European legislation or provisions issued by the authorities empowered to do so by law and by supervisory and control bodies, their failure to provide will make it impossible to establish or continue the relationship, to the extent that such data are necessary for the execution such relationship.
The provision of data to allow the Controller to send commercial communications is optional. The User may at any time object to the processing by exercising the rights provided for in EU Regulation 2016/679 in the forms and manner indicated in this information notice.
The Controller also informs that failure to communicate, or incorrect communication, of one of the mandatory information, will have as consequences:
- the impossibility for the Data Controller to guarantee the adequacy of the Processing itself to the contractual agreements for which it is carried out;
- the possible mismatch between the results of the Processing itself and the obligations imposed by fiscal, administrative and civil law to which it is addressed.
I - User's rights
As provided for in article 15 of the Regulation, the User may access his/her Personal Data, request its rectification and updating, if incomplete or incorrect, request its deletion if the collection has taken place in violation of laws or regulations, and oppose the Processing for legitimate and specific reasons.
In particular, we report below all the rights that the User may exercise, at any time, against the Data Controller and/or the joint controllers:
1. Right of access: the User will have the right, in accordance with article 15, paragraph 1 of the Regulation, to obtain confirmation from the Data Controller that his/her Personal Data is being or is not being processed and, in this case, to obtain access to such Personal Data and the following information: a) the purposes of the Processing; b) the categories of the processed Personal Data; c) the Recipients or categories of Recipients to whom the Personal Data has been or will be communicated, in particular if Recipients from third countries or international organizations; d) where possible, the period of retention of Personal Data or, if this is not possible, the criteria used to determine such period; e) the existence of the User's right to request the Data Controller to rectify or delete Personal Data or to limit the Processing of Personal Data concerning him or to oppose its Processing; f) the right to lodge a complaint with a supervisory authority; g) if Personal Data is not collected from the User, all available information on its origin; h) the existence of an automated decision-making process, including the profiling referred to in Article 22, paragraphs 1 and 4 of the Regulation and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the User.
2. Right of rectification: the User may obtain, in accordance with Article 16 of the Regulation, the rectification of his/her Personal Data if they are found to be inaccurate. Furthermore, taking into account the purposes of the Processing, the User may obtain the integration of his/her Personal Data that is incomplete, also by providing an additional statement.
3. Right to erasure: the User may obtain, in accordance with Article 17, paragraph 1 of the Regulation, the erasure of its Personal Data without undue delay and the Data Controller will be obliged to cancel such Personal Data, if there is even only one of the following reasons: a) Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed; b) the consent on which the Processing of Personal Data is based has been revoked and there is no other legal basis for its Processing; c) there has been an objection to the Processing pursuant to Article 21, paragraph 1 or 2 of the Regulation and there is no longer any overriding legitimate reason to proceed with the Processing of Personal Data; d) the Personal Data has been processed unlawfully; e) it is necessary to delete the Personal Data in order to comply with a legal obligation under an European or national law. In some cases, as provided for by article 17, paragraph 3 of the Regulation, the Data Controller is entitled not to erase Personal Data when the Processing is necessary, for example, for the exercise of the right of expression and information, for the fulfilment of a legal obligation, for reasons of public interest, for purposes of filing in the public interest, for scientific or historical research or for statistical purposes, for the assessment, exercise or defence of a right in court.
4. Right to restriction of Processing: the User may obtain the restriction of the Processing, in accordance with Article 18 of the Regulation, in the following hypotheses: a) the accuracy of the Personal Data has been disputed (the restriction will last for the period necessary for the Data Controller to verify the accuracy of such Personal Data); b) there has been objection to the erasure of the Personal Data requesting a restriction; c) although the Data Controller no longer needs it for the purposes of processing, the Personal Data is used to ascertain, exercise or defend a right in court; d) there has been an objection to the Processing pursuant to Article 21, paragraph 1 of the Regulation and we are awaiting verification of whether the legitimate reasons of the Data Controller over those of the User prevail. In the event that the Processing is restricted, the Personal Data will be processed, except for storage, only with the User's consent or for the ascertainment, exercise or defence of a right in court or to protect the rights of another natural or legal person or for reasons of significant public interest. In any case, the User will be duly informed before such limitation is lifted.
5. Right to data portability: the User may, at any time, request and receive, in accordance with article 20, paragraph 1 of the Regulation, all his/her Personal Data processed by the Data Controller and/or the Data Processors in a structured, commonly used and readable format or request its transmission to another data controller without hindrance. In this case, the User shall provide the Data Controller with all the details of the new data controller to whom the Personal Data is to be transferred.
6. Right to object: pursuant to Article 21, paragraph 2 of the Regulation and as also reiterated in Recital 70, the User may at any time object to the Processing of his/her Personal Data, if these are processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing.
7. Right to lodge a complaint with the supervisory authority: without prejudice to the right to appeal in any other administrative or jurisdictional venue, if the User believes that the Processing of his/her Personal Data carried out by the Data Controller and/or the Data Processors violates the Regulation and/or applicable legislation, the User may lodge a complaint with the competent Data Protection Authority.
In order to exercise all the rights identified above, the User may contact the Data Controller and/or the Data Controllers in the following ways:
- by writing to the Privacy Office of Studio Volpi S.r.l. at the headquarters in 21040 - Carnago (VA), Italy, Via G. Matteotti, no. 17b;
- by sending an e-mail to the e-mail address firstname.lastname@example.org to the attention of the Privacy Office of Studio Volpi S.r.l. by inserting “PRIVACY” in the subject line;
- by calling the number +39 0331 985144.