INFORMATION ON THE PROCESSING OF PERSONAL DATA

Pursuant to articles 12, 13 and 14 of EU Regulation 2016/679 of 27/04/2016, hereinafter referred to as GDPR (General Data Protection Regulation), Thierry Rabotin S.r.l., informs you of the following:

Data Controller

The data controller is Thierry Rabotin S.r.l., in the person of its legal representative, with registered office in Parabiago, Via Sempione, 60, Tax Code and VAT number IT13631600965 Tel. +39 0331 495 007, Fax +39 0331 492 180

The Data Controller has not appointed a personal data protection officer (DPO), therefore, the contact persons will be the Data Controller and any internal data processors.

Interested parties:

Customers and suppliers, including potential ones  (natural persons or, in the case of legal entities, related company representatives)

This document sets out the methods and purposes of the processing of your personal data carried out as part of your customer/supply relationship with THIERRY RABOTIN SRL, as well as any further information required by law, including information on your rights and their exercise.

Art. 4, no. 1 of the GDPR provides that “Personal Data” must be understood as any information relating to an identified or identifiable natural person: the Data Subject.

Art. 4, no. 1 of the GDPR provides that “Special Categories of Personal Data” must be understood as any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data relating to health or sex life or sexual orientation of the person.

“Processing” means any operation or set of operations, whether or not carried out by automated means, applied to Personal Data or sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,  the alignment or combination, restriction, erasure or destruction (Art. 4(2) GDPR).

Pursuant to art. 12 et seq. of the GDPR, with this Policy, the Data Subject is made aware of the appropriate information relating to (i) the Processing activities that are carried out by the Data Controller and (ii) your rights as a Data Subject.

  • Nature and categories of data processed

In order to pursue the purposes better identified in section 2 below (“Purposes of the Processing”), the Company may process your Personal Data of a “COMMON NATURE”, including mainly: identification and personal data (e.g. name, surname, identity document, place and date of birth, domicile, residence, images, etc.), contact data (e.g. telephone number, e-mail address, certified email), tax data (e.g. tax code),  bank details, data relating to tasks, roles, assignments, work experience.

The processing of Special Categories of Personal Data is excluded.

  • Purpose of the processing

The processing of your Personal Data is aimed at managing your contractual/pre-contractual relationship with the Company and the consequent fulfilment of legal and tax obligations, as well as preordained to an effective management of financial and commercial relations. The processing may also be aimed at pursuing any further legitimate interest on the part of the Data Controller (e.g. for the exercise and/or defence of a right in judicial, administrative or arbitration and conciliation procedures; to ensure the security of access to the Data Controller’s premises, etc.) and in any case for the fulfilment of legal obligations to which the Data Controller is subject, in particular in civil matters,  tax and accounting law, as well as to implement instructions issued by the tax authorities or by authorities or supervisory bodies empowered to do so by law.

The Company does not carry out direct marketing activities by sending promotional communications by e-mail; In any case, it is possible to provide specific and explicit prior consent by filling in and sending the appropriate form at the end of this document. In these cases, the legal basis for the processing will be the consent of the Data Subject and the refusal to provide it will not entail any consequences, in particular, for the regular performance of the contract. In addition, any consent given for processing for marketing purposes may be revoked at any time, without prejudice to the lawfulness of the processing carried out before the revocation.

The Company may in any case send e-mails pursuant to Article 130, paragraph 4, of Legislative Decree 196/2003 – Privacy Code as amended to promote products or services similar to those provided as part of the contractual relationship (so-called soft spam), provided that the interested party does not refuse such use, initially or on the occasion of subsequent communications (Marketing Purposes on similar products/services)

  • Legal basis

The processing of Personal Data, for the purposes referred to in section 2 above (“Purposes of the Processing”) does not require the consent of the Data Subject as such processing is necessary to execute the pre-contractual measures/contractual relationship between the Company and you (i.e. the Customer/Supplier of THIERRY RABOTIN of which you are the contact person) and to allow the mutual fulfilment of the obligations arising therefrom,  as well as to allow the Company to comply with legal obligations and/or the pursuit of the Company’s legitimate interest in carrying out its business activities.

  • Processing methods

In accordance with the provisions of art. 5 of the GDPR, the Personal Data subject to Processing are:

    • processed in a lawful, fair and transparent manner towards the Data Subject;
    • collected and recorded for specific, explicit and legitimate purposes, and subsequently processed in terms compatible with those purposes;
    • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    • accurate and, if necessary, updated;
    • processed in a manner that ensures an adequate level of security;
    • stored in a form that allows the identification of the Data Subject for a period of time not exceeding the achievement of the purposes for which they are processed.

Personal Data will be processed by the Data Controller with automated, electronic, computer or telematic tools, and non-automated, on paper. Specific security measures are observed to prevent the loss of data, illicit or incorrect use and unauthorized access.

Automated decision-making processes pursuant to Article 22 of the GDPR will not be used.

  • Provision of Personal Data

In general, the provision of Personal Data is necessary for the purposes of negotiating, establishing, managing and executing the contractual customer/supply relationship with the Company.

Any refusal to provide Personal Data, in fact, makes it objectively impossible for the Data Controller to execute the contractual relationship and/or to correctly carry out all the obligations provided for by law and/or contract.

  • Personal data retention period

Personal Data are stored for the time strictly necessary to achieve the purposes for which they were collected and subjected to Processing on the basis of the purposes set out in section 2 (“Purposes of Processing”) of this information document. As a general principle, therefore, Personal Data will be kept for the period of time necessary for the execution of the contract.

However, it is understood that, once the contractual (or pre-contractual) relationship with the Company has been interrupted and, with it, the related purposes of the Processing, the Data Controller will in any case be obliged and/or entitled to further retain the Personal Data, in whole or in part, for certain purposes, as expressly required by specific contractual provisions (e.g. obligations of an ultraactive nature) or for legal obligations,  in particular tax and tax matters, and for the possible assertion and/or defense, including in court, of the Company’s rights (e.g., in the event of possible disputes by the Data Subject with respect to the contract signed with the Company).

  • Communication of Personal Data

The Personal Data will be accessible, within the scope of their respective functions, to the employees and collaborators of the Data Controller (e.g. employees of the Sales Department) duly designated for the performance of specific tasks and/or functions as authorized/appointees, to external collaborators and service providers for the Data Controller, designated as data processors, to whom specific written instructions have been given,  to the extent that this is strictly necessary for the pursuit of the purposes referred to in section 2 (“Purposes of the Processing”) of this information document.

The data collected and processed may, therefore, be communicated exclusively for the purposes specified above to:

    • Postal agencies or other freight forwarders for the delivery of correspondence;
    • Transport companies for the shipment of goods;
    • Banking/financial institutions for the management of Collections and Payments;
    • Business consultants and freelancers, also in association with each other, who collaborate with the Data Controller (e.g. accountants, persons in charge of auditing the financial statements and administrative, tax and contractual consultants);
    • Insurance companies;
    • Public bodies in compliance with regulatory obligations.

The list of data processors designated by the Data Controller is available at the request of the Data Subject.

It should be noted that for business needs, some of your personal data may be communicated to companies belonging to the same corporate group as the Data Controller, in line with Recital no. 48 GDPR according to which “Data controllers belonging to a business group or entities connected to a central body may have a legitimate interest in transmitting personal data within the business group for internal administrative purposes,  including the processing of customers’ personal data […]”.

  • Disclosure of Personal Data

The Personal Data of the Data Subject are not subject to dissemination.

  • Transfer of Personal Data abroad

Your Personal Data will not be transferred outside the European Union.

  • Rights of the Data Subject

As Data Subjects, the identified or identifiable natural persons to whom the processed data refer may exercise the rights recognized by the Privacy Legislation and, in particular:

    • right of access, i.e. the right to obtain confirmation from the Company as to whether or not the data is being processed and, if so, to obtain access to it (art. 15 GDPR) – In particular, the Data Subject has the right to obtain information (i) of the origin of the personal data; (ii) the purposes and methods of processing; (iii) the logic applied in the case of processing carried out with the aid of electronic tools; (iv) the identification details of the Data Controller, the data processors (art. 4 no. 8) GDPR) and the data protection officer designated by the Data Controller pursuant to art.37 of the GDPR (DPO or DPO)]; (v) the subjects or categories of subjects to whom the Personal Data may be communicated or who may become aware of them in their capacity as data processors or (if any) persons in charge or (if any) designated representative in the territory of the State;
    • right to rectification, i.e. the right to obtain the rectification of inaccurate data and/or the completion of incomplete data (Art. 16 GDPR);
    • right to be forgotten, i.e. the right to obtain the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including those whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed of Personal Data in certain circumstances provided for by law (art. 17 GDPR);
    • the right to receive certification that the operations referred to in letters b) and c) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfilment proves impossible or involves the use of means manifestly disproportionate to the protected right;
    • right to restriction of processing, i.e. the right to object to processing or to obtain the restriction of the processing of Personal Data in accordance with the law (art. 18 GDPR);
    • right to be informed of rectifications and deletions and limitations of the processing of Personal Data (art. 19 GDPR)
    • right to portability, i.e. the right to receive Personal Data in a structured, commonly used and machine-readable format as well as the right to transmit the data to another data controller – this right to “portability” applies only to Personal Data provided by the Data Subject and may be subject to certain restrictions, as provided for by the Privacy Legislation (art. 20 GDPR);
    • right to object, i.e. the right to object to the processing of data if there are legitimate reasons, including with reference to data processing for marketing and profiling purposes, if provided for (art. 21 GDPR);
    • the right to withdraw the consent given, at any time, without prejudice to the lawfulness of the processing based on the consent given before the withdrawal (art. 7 GDPR);
    • right to compensation, i.e. the right to obtain from the Data Controller and/or the Data Processor full and effective compensation for material or immaterial damage suffered (financial loss, identity theft, discrimination, etc.), if caused by the processing of the data subject’s personal data in violation of the Regulation and the Data Controller and/or the Data Processor are unable to demonstrate that the harmful event is not attributable to them (Article 82 of the GDPR);
    • right to lodge a complaint with the Italian Data Protection Authority (Piazza Venezia, 11 – 00187 Rome RM – PEC: protocollo@pec.gpdp.it) in the event of unlawful processing (art. 77 GDPR) without prejudice to the limits set out in Legislative Decree No. 101/2018, art. 2-undecies (Limitations on the rights of the data subject) and art. 2-duodecies (Limitations for reasons of justice).

Personal data breach.

The Data Controller is required to:

    • notify any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed to the Data Protection Authority without undue delay and, where possible, within 72 hours of becoming aware of it,  unless it is unlikely that the same violation would constitute a risk to the rights and freedoms of natural persons. In the event that this time limit is not respected, the notification of violation must be accompanied by the reasons for the delay. For the minimum content of the notification, please refer to the provisions of art. 33 of the GDPR;
    • communicate any data breach to the Data Subject without undue delay if such breach constitutes a high risk to the rights and freedoms of natural persons, except in the cases provided for by art. 34 of the GDPR.

Communications and exercise of the rights of the Data Subject

To exercise the rights referred to in section 10 (“Rights of the Data Subject”), you may submit a written request, addressed informaliously, to the Data Controller by sending a communication to the following e-mail address: privacy@thierryrabotin.com

Consent Form