Venitem Srl, headquarterd in Via del Lavoro, 10, 30030 Salzano (VE), with VAT registration number 02985780275 (following “Data Controller”), as owner of the treatment, hereby informs you that, pursuant to art. 13 of D.Lgs. 30.06.2003 n. 196 (following “Privacy Code”) and to art. 13 of EU Regulation No 2016/679 (following GDPR), your personal data will be treated with the following procedures and purposes:
1) Object of treatment
The Data Controller treats personal data – that is, directly identifying information (in particular: name, surname, VAT registration number, phone number, e-mail adress – following “Personal Data” or “Data”) and not sensitive data – provided by you during the registration to the Data Controller website and/or by subscribing to the newsletter service offered by the Data Controller.
2) Purpose of treatment
The personal data you provide will be processed:
A) Without express consent (art. 24 lett. a, b, c Privacy Code and art. 6 lett. b, and GDPR), for the following standard purposes:
To allow the registration to the website;
To manage and maintain the website;
To allow the subscription to the newsletter service offered by the Data Controller and further services you may request;
To fulfill the pre-contractual, contractual and tax obligations resulting from the current relationship with you;
To fulfill the obligations required by the law, the Regulation, the Community legislation or competent authorities;
To help prevent or detect fraudolent activities or dangerous abuses for the website;
To excercise the Data Collector rights, such as the right of defence in legal proceedings.
B) Only upon explicit and specific consent of your (art. 23 and 130 Privacy Code and art. 7 GDPR), for the following marketing purposes:
To send you by e-mail newsletters, information/promotional communications on products or services offered by the Data Collector. If you are already our customer, we would like to inform you that you may receive commercial communications, similar to those you have
already received in the past, unless otherwise expressly dissent (art. 130 c. 4 Privacy Code).
3) Methods of processing and retention period of data
The processing of your personal data is carried out by means of operations listed in art.4 Privacy Code and art.4 n.2 GDPR: collection, recording, organization, storing, consulting, processing, modification, selection, retrieval, comparison, utilization, interconnection, blocking, communication, erasure and destruction of data. The data can be processed both by paper and electronic means.
The Data Collector will process your data only for as long as the Data Collector needs them for the purposes mentioned above, and no later than 10 years after the end of the relationship for the standard purposes and no more than 2 years from the gathering of data
for marketing purposes, unless the exercise of the data subject’s rights and/or any other legal requirements.
4) Access to data
Your data will be accessible only for the purposes set out in art. 2.A) and 2.B):
To employees and collaborators of the Data Collector, in the capacity of data processors and/or internal processing data managers and/or system administrators.
To external companies, which support the company in the study of the feasibility of customer’s project, technical project management, personal data storare, etc., or to third-parties (for example: the provider for the management and maintenance of the website, suppliers, credit institutions, professional studios, etc), which provide outsourced services on behalf of the Data Controller, in the capacity of external processing data managers
5) Data communication
Without your explicit consent (as per art. 24 lett. a), b), d) Privacy Code and art. 6 lett. b) and c) GDPR), the Data Collector can communicate your data for the purposes under art. 2.A) to supervisory and judicial authorities, as well as d to all other subjects to whom the communication is obligatory by law, for the fulfilment of the above mentioned purposes. Your data will not be disclosed.
6) Data transfers
Your personal data will be managed and stored on servers only within the European Union of the Data Collector and/or third-third party companies, duly appointed as data controller. Currently our servers are located in Italy. There will be no transfer of your personal data outside the European Union. In any case, is expressely understood that, if necessary, will have the right to move the servers location to Italy, and/or EU/non-EU countries. In this case, the Data Collector ensures that data transfers to non-EU Countries will meet the applicable legal requirements. If necessary, the Data Collector will enter into agreements to guarantee an adequate level of data protection and/or apply the general contract terms provided by the European Union.
7) Nature of data provision and consequences of refusal
The provision of data for the purposes set out in art. 2.A) is obligatory. In case of no data provision, we will not be able to guarantee neither the registration to the website, or the services set out in art. 2.A). The provision of data for the purposes set out in art. 2B) and 2.C) is instead optional. You can therefore choose to provide no data or to subsequently deny the possibility to process previously submitted data. If so, we will not be able to ensure you the services set out in art 2.B and 2.C. In each case, you shall continue to be entitled to the services set out in art. 2.A).
8) Rights of the data subject
The data subject is entitled to excercise the rights set out in art.7 Privacy Code and art.15 GDPR, specifically:
A) The right to obtain confirmation as to whether or not personal data concerning him or her exist, even if they have not been filed properly yet, and communication of such data in intellegible form;
B) The right to information on:
The source of the personal data;
The purposes and methods of processing;
The logic applied when the data is processed with the use of electronic instruments;
The identity of the Data Controller, Data supervisors and the Representative designated pursuant to art. 5.2, Privacy Code and art. 3.1 GDPR;
The parties and categories of parties to which the personal data can be transferred or which can gain knowledge of them as designated of the State, processing officers, or processors;
C) The right to obtain:
The updating, rectification or, where interested therein, integration of the data;
The erasure, anonymisation or blocking of data that have been processed unlawfully, including those that do not need to be retained for the purporses for which the data were collected and subsequently processed;
Certification that the parties to which the data have been transferred or disseminated have been notified of the operations specified in points 8 (A) and (B), also regarding their content, except for the case where notifications proves impossible or requires the use of
means clearly disappropriate to the right being protected;
D) Object, in whole or in part:
On legitimate grounds to the processing of personal data concerning her/him, even though they are relevant to the purpose of collection;
To the processing of personal data concerning her/him, where it is carried out for the purpose of sending advertising materials or direct sales material, for completion of market research or for commercial communication, through the use of automated calling system
without human intervention and/or traditional marketing actions by phone and/or paper mail. It should be noted that the right to object – set out in point B) – for the purposes of direct marketing through automated process, extends to traditional (non-automated) ones. The
Data Subject has nevertheless the right to object, even only partially. The Data Subject can therefore choose to receive communication only throuh traditional methods: that is to say, only automated communications or neither of the two types.
Where applicable, the Data Subject also has the rights set out in art. 16-21 GDPR (right to rectification, right to erasure – “right to be forgotten” -, right to restriction of processing, right to data portability, right to object) as well as the right to lodge a complaint with a supervisory authority.
9) How to excercise your rights
You may excercise your right at any time, by sending:
A registered letter with receipt advice, adressed to: Venitem Srl, Via del Lavoro 10, 30030 Salzano (VE) – Italy
An e-mail to firstname.lastname@example.org
A Certified mail (in Italian PEC – Posta Elettronica certificata) to email@example.com
The website and the services of the Data Collector are not intended to users under the age of 18. Moreover, the Data Collector does not intentionally collect personal information of minors. Where personal information of minors are unintentionally gathered, the Data Collector will erase it immediately, on user demand.
11) Data Collector, person in charge and data processors
The Data Collector of the processing is Venitem Srl in the person of its legal representative pro-tempore, headquartered in Via del Lavoro 10, 30030 Salzano (VE). The updated list of persons in charge and data processors is kept at the Data Collector headquarter.
12) Amendments to the present policy
This policy may be subject to changes and updates. We recommend therefore to regularly check it and to refer the most updated version of it.
13) Transfer to third countries
Users’ personal data are transferred by Venitem Srl to the following third countries: U.S. and United Kingdom. Data are transferred on the basis of adequacy decisions granted by the European Commission and of subsequent authorization measures by Data Protection Officer and on the basis of standard contractual clauses between owner and data controller.
More specifically, it is reported that:
* the personal data constituing the subject-matter herein described, are stored in cloud on Infusion Software, Inc. servers – a company under American law, based in 1260 S. Spectrum Blvd., Chandler, AZ 85286, US. Data are stored on Infusion Software servers. Infusion Software answers to GDPR implementation as reported on this links: https://keap.com/legal/data-protectionfaq and https://keap.com/legal/dpa
* the personal data constituing the subject-matter herein described, transit in cloud on Zapier, Inc. servers – a company under American law, based in 548 Market St. #62411, San Francisco, CA 94104-5401, US. In this case, data transit in the U.S. takes place on the basis of “Commission Implementing Decision 2016/2295/EU of 12th July 2016 (in compliance with Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection offered by UE-US Shield” [notified under document number C(2016)4176] and the subsequent “Authorisation for Transfer of Personal Data Abroad as a result of the Agreement called “EU-US Privacy Shield” issued by Data Protection Officer on 27.10.2016, being Zapier listed in the above-mentioned Privacy Shield.