For a downloadable copy click here
Information on personal data processing in accordance with art. 13 of EU Regulation 2016/679 (GDPR).
Eureka S.p.A. Unipersonale, with registered office in Viale dell'Artigianato, 30/32 – Cittadella (PD), PD Business Register, Tax Number 01832650244, VAT Number 02193670284, R.E.A.PD 200231 (hereinafter referred to as the undersigned), in its capacity as the Data Controller, shall hereby inform you of the procedures it follows when collecting, filing and managing your personal data.
Data Controller and Data Protection Officer
The Controller of the processing of your personal data is Eureka S.p.A. Unipersonale, in the person of its Chief Executive Officer.
You can obtain the names of the Data Controller and of the Officers responsible for processing your data by sending a written request to the email address email@example.com.
Purpose of data processing.
Your personal data (such as name, surname, corporate name, job title, address, phone number, e-mail address, bank and/or payment references) and any further personal information, communicated and obtained in any way, on any occasion, at any time and from any sources, shall be lawfully processed in full compliance with the GDPR, and for the fulfilment of the contractual, precontractual or commercial relationship to which you are party.
Processing method and legal basis.
Your personal data are processed via manual and IT tools, by individual operators, under the responsibility of the Data Controller and/or of any appointed data processors.
Personal data processing includes any operation or sequence of operations concerning the collection, recording, organisation, retention, consultation, processing, editing, selection, extraction, comparison, use, blocking, communication, disclosure, destruction and deletion of the data in question.
In this specific case, processing shall consist of collecting personal data through paper forms or by electronic means, and then entering these data into the IT and storage system of the undersigned, which is equipped with IT security mechanisms and kept in protected environments.
The legal basis of the processing is:
A) without express consent (article 6, letters b, c, e and f of the GDPR) for the following purposes:
for compliance with pre-contractual, contractual and tax-related obligations; for compliance with an obligation provided for by the law, by a regulation, by European provisions or by an order from an authority; for the exercise of data controller rights; for management and accounting purposes; for credit management; for statistical and quality control analysis; for insurance management; for technical support; for commercial marketing operations related to the subject-matter of the existing relationship; for market surveys and customer satisfaction monitoring.
B) only with specific and separate consent (article 7 GDPR), for commercial, marketing and profiling purposes not related to the existing relationship and with reference to third-party products and/or services, through newsletters, commercial information, inquiries as to customer satisfaction, e-mail, mail, SMS, phone calls.
Communication and disclosure.
Your personal data may be communicated without your express consent (article 6, letters b and c of the GDPR) for the purposes listed in the previous paragraph, under letter A), to supervisory bodies, to judicial authorities, to insurance companies for the provision of insurance or money-lending services, as well as to the persons to which the data must be communicated pursuant to the law or for the fulfilment of the above-mentioned purposes. The persons in question shall process your data as separate data controllers.
Inside the undersigned company, your data shall be communicated to, and be known by, the employees in charge of the fulfilment of the purposes listed in the above paragraph.
Your personal data shall not be disclosed in any way without your prior consent.
Special categories of personal data.
The undersigned company is not expected to process any data included in the categories provided for by articles 9 and 10 of the GDPR (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic and biometric data, data concerning a person’s health, sex life or sexual orientation, data concerning criminal convictions or offences). Should you provide any such data to the undersigned, it is understood that it shall not be processed without your prior free and explicit consent.
Existence of automated decision making, including profiling.
The undersigned hereby informs you that no automated processing which may concern your personal data, including profiling, as outlined by article 22 of the GDPR, is currently in place.
Transferring of personal data abroad.
The undersigned uses Cloud services which may result in data being stored in third-party non-EU countries (in this specific case, the USA). The transferring abroad is carried out pursuant to the EU-US Privacy Shield agreement, as it can be inferred from the list available on the website “https://www.privacyshield.gov/list”.
Your personal data shall be retained for as long as is necessary for the fulfilment of the above purposes.
The personal data used for the marketing or profiling operations shall be retained until the legitimate interest of the undersigned company comes to an end, or until you withdraw your specific consent.
While your data are being retained we shall periodically verify its correctness and assess the opportunity to erase it if no longer necessary.
Personal data not obtained from the person concerned
The undersigned may have received your data indirectly, pursuant to a contract regulating the relations with another person which already had your data in its possession. In this case, the undersigned shall do whatever it can to make sure that you were informed and gave your consent to the processing. It is understood that at any time you shall have the right to request the undersigned to disclose the source from which it obtained your data.
Rights of data subjects.
In your capacity as the Data Subject, you shall be entitled to exercise the rights provided for by chapter III of the GDPR, sending your requests to Eureka S.p.A. Unipersonale, at the following postal address:
Viale dell'Artigianato 30/32 – 35013 Cittadella (PD)
or at the following e-mail address: firstname.lastname@example.org
In particular, you shall be entitled to exercise the following rights:
- Obtaining information as to the purposes of the data processing, the personal data categories, the recipients or the categories of recipients to which the personal data has been or will be communicated and, when possible, the retention time.
- Obtaining confirmation as to whether there are any personal data concerning you, even still unrecorded.
- Obtaining the update, the rectification or the addition of personal data.
- Obtaining, without any undue delay, the erasure of personal data or the restriction of their processing, in the cases provided for by the law.
- Obtaining certification that the above-listed operations were completed and notified to those to which the personal data were communicated or disclosed, unless the processing in question should prove to be impossible or should involve a disproportionate effort.
- Exercising the right to personal data portability, i.e. the right to receive them from a Data Controller in a structured, commonly used format which can be read by an automatic device, and to transmit them to another Data Controller without restrictions.
- Objecting, in whole or in part and at any time, to the processing of the personal data, including the profiling, unless the Controller can claim to have any legitimate rights that prevail over your interests, rights and freedoms.
- Objecting to a fully automated decision process, including profiling, which produces legal effects concerning you.
In addition, in your capacity as the Data Subject, you have the right to receive from the Data Controller, without undue delay, a notification informing you of any personal data breach, resulting in high risk to your rights and freedoms, as provided for by article 34 of the GDPR.
As provided for by chapter VIII of the GDPR, in your capacity as the Data Subject you shall have the right to lodge a complaint with the supervisory authority, if you consider that the processing of personal data relating to you infringes the above-mentioned GDPR regulation.
The complaint can be lodged with the supervisory authority of the European Union member state in which the Data Subject is habitually resident or works, or of the place where the alleged breach occurred.
Eureka S.p.A Unipersonale