Information document pursuant to and for the purposes of Article 13 EU Regulation 2016/679 – GDPR – Information on the processing of personal data collected from the interested party.
In compliance with the General Data Protection Regulation (EU) 2016/679 we would like to kindly provide you with the necessary information regarding the processing of personal data supplied by you. The information document herein shall not be considered valid for other websites that may be consulted through links on the domain owner’s Internet sites, which is not to be considered in any way responsible for third party websites. This is an information document drafted pursuant to Article 13 of the General Data Protection Regulation (EU) 2016/679 – GDPR. The information document is also based on the Recommendation No. 2/2001 that the European authorities for the protection of personal data, gathered in the Group formed pursuant to , adopted on May 17th, 2001, in order to identify certain minimum requirements for the collection of personal data on-line, and in particular the methods, timing and nature of the information that the data controllers must provide to users when they connect to website pages, regardless of the purposes of the connection, as well as the provisions of Directive 2002/58/EC, as updated by Directive 2009/136 /EC, on the subject of cookies.
Personal Data (Art. 4 GDPR): any information concerning an identified or identifiable natural person (‘interested party’); an identifiable natural person can be identified, either directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online ID or one or more characteristic elements of their physical, physiological, genetic, psychological, economic, cultural or social identity; (C26, C27, C30)
Specific information documents
Specific information could be presented on the pages of the Website in relation to particular services or processing of the data provided.
For more information on the cookies used by this website, see the following cookies policy link
1. DATA CONTROLLER, pursuant to art. 4 and 24 of the GDPR, is Boffi spa, Via Oberdan, 70 – 20823 Lentate sul Seveso (MB), Italy, in the person of the pro-tempore legal representative.
The contact email of the data controller is firstname.lastname@example.org.
2. DATA PROCESSOR (RPD/DPO- Data Protection Officer) is identified pursuant to articles 37 – 39 of the EU Reg. 2016/679. The contact email of the DPO is email@example.com[it2] .
3. PURPOSE AND LEGAL BASIS OF PROCESSING
Personal data will be processed in compliance with the conditions of lawfulness pursuant to former art. 6 EU Reg. 2016/679 for the following purposes:
a) navigation on the Internet website herein; – possible filling out of forms for contact request, sending requested information; – possible filling out and completion of data collection forms for personnel selection;
b) possible completion and filling out of forms for the receipt of communication material, for direct marketing activities, newsletters, market researches or other sample searches and sale via automated electronic mail, MMS or SMS messages or other types, as well as through telephone calls and use of paper mail, of material information on products from BOFFI, DE PADOVA, and MA/U Studio, for the survey of satisfaction, promotional, commercial and advertising material or inherent events and initiatives by the Data controller, even through the companies appointed as Data Processors (De Padova Srl, single shareholder company, Boffi Trade srl MA/U Studio srl, Boffi Barberini srl); the data will be entered in the company CRM. The Data controller, in order to compare and possibly improve the results of communication material, uses systems for sending newsletters and promotional communications with reports.
As a result to the aforementioned reports, the Data Controller will be able to understand, for example: the number of readers, openings, individual “clickers” and clicks; the devices and operating systems used to read the communication material; the detail on the activity of individual users; the details of the emails sent, e-mails delivered or not, of those forwarded. All these data are used for the purpose of comparing, and possibly improving, the results of communications.
LEGAL BASIS The processing of data pursuant to the purpose a) is based on the legitimate interest pursuant to former Article 6 (1) (f): (with reference to 47) taking into account the reasonable expectations of the interested party at the time and in the collection of personal data, when the interested party can reasonably expect their data to be processed for this purpose.
The processing of data according to the purpose b) is based on the consent pursuant to former Article 6, paragraph 1), letter a) of the GDPR.
4. RECIPIENTS OR CATEGORIES OF DATA RECIPIENTS
The personal data provided will be communicated to recipients, who will process the data as data processors (Article 28 of EU Reg. 2016/679) and/or as natural persons acting under the authority of the Data Controller and the Data Processor (Article 29 of EU Reg. 2016/679), for the purposes listed above in point 3, and to third parties. Namely, the data will be communicated to: suppliers of services for the management of the information system used by Boffi spa and telecommunications networks (including e-mails and platforms); – firms or companies providing assistance and consultancy; – Associates, subsidiaries or companies contractually linked to Boffi spa and/or as part of its distribution network (such as branches, importers, distributors, forwarders, etc.), even established in countries outside the EU; – authorities competent for the carrying out the relevant laws and/or regulations of public bodies, on request; to the sales/distribution network in the territory.
The subjects belonging to the above categories are considered Data processors, or they act independently as separate Data controllers. The list of the data processors is constantly updated and available at the headquarters of Boffi spa Via Oberdan, 70-20823 Lentate sul Seveso, Italy.
5. DATA TRANSFER TO A THIRD-PARTY COUNTRY AND/OR AN INTERNATIONAL ORGANIZATION AND GUARANTEES.
The personal data provided may be transferred to countries that are part to the European Union and to countries outside the EU, in order to comply with the aforementioned purposes.
The data will be transferred according to Article 44 – General principle for the transfer; Article 45 – Transfer on the basis of an adequacy decision; Article 46 – Transfer subject to adequate guarantees, specifically the data will be transferred:
– to third-party countries or international organizations for which the Commission has intervened with an adequacy assessment (Article 45 of the EU Reg. 2016/679)
– to third-party countries or international organizations that have provided adequate guarantees and in which the interested party has rights to action and effective recording methods and means (article 46 EU Reg. 2016/679, also with contractual clauses and the other provisions referred to in Article 46, paragraph 3)
– to third-party countries or international organizations on the basis of exceptions in specific situations (Article 49 of the EU Reg. 2016/679).
For information about the guarantees concerning the transfer of data outside the EU, write to firstname.lastname@example.org.
6. PERIOD OF DATA STORAGE OR CRITERIA FOR DETERMINING THIS TIME PERIOD.
Data processing will be carried out in an automated and manual way, with methods and tools aimed at guaranteeing maximum security and confidentiality, by subjects specifically appointed to do so. In compliance with the provisions of Article 5, paragraph 1 letter e) of EU Reg. 2016/679, the personal data collected will be stored in a form that allows identification of data subjects for a period of time not exceeding the achievement of the purposes for which the personal data are processed. The retention of personal data provided depends on the purpose of the processing:
– for contact request (maximum 1 year);
– for reserved area registration/login (maximum 2 years);
– data collection for personnel selection (maximum 2 years);
– receive newsletters or promotional communications in general via e-mail (maximum 24 months);[it3]
Timing determined on the basis of criteria that the interested party can have information on by writing to email@example.com.
7. RIGHTS OF THE INTERESTED PARTIES
You can assert your rights as expressed in EU Regulation 2016/679, by contacting the Data Controller, by sending an email to firstname.lastname@example.org or by writing to the office of the Data Controller indicated above. You have the right, at any time, to ask the Data Controller to access your personal data (Article 15), its correction (Article 16) or the cancellation (Article 17) of the aforesaid, or the limitation of processing (Article 18) or to oppose their processing based on legitimate interest (Article 21). Lastly, you have the right to data portability (Article 20).
Revoking consent. If the processing is based on consent, you have the right to withdraw the consent at any time without prejudice to the lawfulness of the treatment based on the consent given prior to the revocation.
To oppose the processing and to exercise the other rights you can write to email@example.com.
In order to stop receiving automated direct marketing communications (email, SMS, MMS, fax), you can simply write at any time an e-mail to firstname.lastname@example.org with the subject line: “cancellation from automated mail” [in Italian: “cancellazione da automatizzato”] or use our systems of automatic cancellation provided only for e-mail, and you will not be disturbed any more. To stop receiving direct traditional marketing communications (phone calls with operator, paper mail), you can simply write at any time an e-mail to email@example.com with the subject line “cancellation from traditional marketing” [In Italian: “cancellazione da tradizionale”], and you will not be further disturbed.
You have the right to lodge a complaint with a supervisory authority.
There is no automated decision making process.
8. NATURE OF PROVISION AND REFUSAL
The provision of data for the purposes referred to in point A) is optional, however necessary. Any refusal to provide the necessary data with respect to point A) shall make it impossible to use the services of the data controller. The provision and consent to the processing for the purposes referred to in points B) is optional. The refusal of consent for the purposes described in points B) above, however, does not imply any negative consequence with regard to the purposes referred to in point A). The marketing activity is only possible and will be carried out only with the specific consent of the interested party. The inclusion of data in the CRM is optional and will automatically result in the visibility of the same by those who have access, i.e. the data processors and parties entitled to processing, present at points of sale in the world.
Updated on: May 22nd, 2018