Information note: pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”)
Dear User, Immsi S.p.A. welcomes you to our website www.immsi.it(the “Website”) and invites you to pay attention to the following information (the “Information Note”), issued pursuant to Article 13 of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, as well as on the free movement of such data (“GDPR”).
This document describes how to manage the Website in relation to the processing of your personal data by the Data Controller, as defined below. Furthermore, it is specified that the Information Note only concerns the Website, therefore any website that you may redirect to from the Website is excluded..
1. WHO IS THE DATA CONTROLLER AND THE DPO?
The Data Controller is Immsi S.p.A., with registered office in Piazza Vilfredo Pareto, 3 - 46100 Mantova(the “Data Controller”). It is possible to contact the Data Controller at the telephone number 0376/2541, or by writing to its registered office.
The Data Protection Officer (“DPO”) appointed by the Data Controller pursuant to Articles 37 et seq of the GDPR is Immsi Audit S.p.A. (in the person of the Managing Director Maurizio Strozzi). You can contact the DPO at the telephone number 0376/24641, by ordinary mail at Piazza Vilfredo Pareto, 3 - 46100 Mantova, or by sending an e-mail to privacy@immsi.it.
The updated list of the Data Processors and staff involved in processing is kept at the registered office of the Data Controller.
2. WHAT IS THE PERSONAL DATA? WHAT ARE THE PURPOSES OF THE PROCESSING OF YOUR DATA?
“Personal Data” means information suitable for identifying a physical person directly or indirectly, in this case you as you are browsing on the Website (“Data”).
During their normal operation, the computer systems and software procedures used to operate this Website acquire some personal data whose transmission to the Data Controller is implicit in the use of internet communication protocols.
This is information that is not collected to be associated with identified data subjects, but which by its very nature could, through its processing and association with data held by third parties, allow users to be identified.
This category includes IP addresses, or domain names, of the computers used to connect to the Website, URI (Uniform Resource Identifier) addresses of the requested resources, the timestamp of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the server response status (successful, error etc.), and other parameters pertaining to the user’s operating system and IT environment.
Your data may be collected and processed in order to carry out any activity concerning the management and administration of the Website.
In any case, we are committed to ensuring that the information collected and used is appropriate to the purposes described and that this does not lead to an invasion of your personal sphere.
Apart from that specified for browsing data, the user is free to provide personal data contained in the appropriate electronic request forms, in the sections of the Website prepared for particular services on request.
The request for sending e-mails to the addresses indicated in the appropriate section of the Immsi S.p.A. Web Site involves the acquisition of some personal data of the applicant necessary to respond to requests.
Specific summary information will be progressively shown or displayed on the website pages dedicated to any particular service requested.
Immsi S.p.A. does not allow minors of under 16 years of age to supply personal data.
3. WHAT METHODS WILL HAVE BEEN USED TO PROCESS YOUR PERSONAL DATA?
The processing of your personal data shall take place in compliance with the provisions of the GDPR, by means of physical, computerised and telematic tools, with logic strictly related to the purposes indicated and, in any case, with suitable methods to guarantee security and confidentiality in compliance with to the provisions foreseen by Article 32 of the GDPR. Your personal data will not be transferred to third parties outside the European Union and will not be disseminated.
4. WHERE DO WE TRANSFER YOUR DATA?
The server farm in which the Website is located is situated in Milan.
Your data are not transferred to third-party companies located outside the European Economic Area. Should this transfer be necessary, we will take care to ensure that the recipients of your data have adopted appropriate security measures to guarantee their protection.
5. HOW LONG DO WE RETAIN YOUR DATA?
We process your data for the time strictly necessary to achieve the purposes indicated in paragraph 2 above.
We reserve the right to retain log data for a longer period, in order to be able to manage any crimes committed against the Website (e.g. hacking activities).
6. WHAT ARE YOUR RIGHTS AS A DATA SUBJECT REGARDING PROCESSING?
In relation to the processing described in this Information Note, you may exercise the rights listed in this section, set out in Articles 15 to 21 of the GDPR. In particular:
- Management of your data – Right of access – Article 15 of the GDPR: the right to obtain confirmation from the Data Controller about whether or not personal data processing is underway concerning you and, if so, to obtain access to your personal data - including a copy thereof - and the communication of the following information:
a) purpose of the processing;
b) categories of personal data processed;
c) recipients or categories of recipients to whom personal data have been or will be communicated;
d) data retention period or the criteria used to determine it;
e) the existence of the right to ask the Data Controller to rectify or delete personal data, or limit the processing of personal data concerning the data subject, or the right to object to such processing;
f) the right to lodge a complaint with the competent authority;
g) the origin of the personal data, if these were not collected directly;
h) the existence of any automated decision-making processes, including profiling.
- Rectification of inaccurate or incomplete information – Right of rectification – Article 16 of the GDPR: the right to obtain, without undue delay, the correction of inaccurate personal data concerning you or the integration of incomplete personal data.
- Cancellation – Right to cancel – Article 17 of the GDPR: the right to obtain, without undue delay, the correction of inaccurate personal data concerning, whenever:
a) the data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
b) you have revoked your consent and there is no other legal basis for the processing;
c) you have objected strictly to the processing of personal data;
d) the data were unlawfully processed;
e) the data must be deleted to comply with a legal obligation;
f) the personal data have been collected in relation to the provision of information society services referred to in Article 8 (1) of the GDPR.
g) If you no longer wish for us to use your information, you may request the deletion of your personal data. We inform you that if you request the deletion of your personal data, we may store and use your personal data to the extent that this is necessary to comply with legal obligations or to perform a task carried out in the public interest or for the exercise of a public authority attributed to the Data Controller, or for the assessment, exercise or defence of a right in court. By way of example, we may retain some of your personal data for tax, legal and audit obligations.
- Limitation of processing – Right to limitation of processing – Article 18 of the GDPR: right to obtain the limitation of processing from the Data Controller, if:
a) you dispute the accuracy of personal data for the period necessary for the Data Controller to verify the accuracy of such personal data;
b) the processing is illegal and you are opposed to the cancellation of personal data and ask instead that its use be limited;
c) although the Data Controller no longer needs it for processing purposes, the personal data are necessary for you to ascertain, exercise or defend a right in court;
d) you have objected to the processing pursuant to Article 21, paragraph 1 of the GDPR pending verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to yours.
- Access to data and portability – Right to data portability – Article 20 of the GDPR: the right to receive, in a structured format which is commonly used and readable by an automatic device, the personal data concerning you provided to the Data Controller and the right to transfer them to another Data Controller without impediments, if the processing is based on consent and is performed with automated means. Furthermore, the right to ensure that your personal data is transferred directly by the Data Controller to another Data Controller if this is technically feasible.
- Complaints – to file a complaint with the competent Authority regarding personal data, sending the complaint to: Piazza di Monte Citorio no. 121 - 00186 Rome; email: protocollo@pec.gpdp.it.
The above rights may be exercised against the Data Controller by contacting the references indicated in the previous point 1. The Data Controller shall handle your request and provide you, without undue delay and, in any case, no later than one month after receipt of the request, with information relating to the action taken regarding your request.
The exercise of your rights as a data subject is free of charge under Article 12 of the GDPR. However, in the case of manifestly unfounded or excessive requests, including due to their repetitiveness, the Data Controller may charge a reasonable fee, in light of the administrative costs incurred to manage your request, or deny the satisfaction of your request.
Finally, we inform you that the Data Controller may request additional information necessary to confirm the identity of the data subject.