
Personal Data Processing Notice – Privacy Policy
The company C.I.M.E.S. SpA (hereinafter the “Data Controller” or the “Company”), as Data Controller of personal data pursuant to and for the purposes of Regulation (EU) 2016/679 (hereinafter the “Regulation”), in accordance with Articles 13 and 14 of the Regulation, provides data subjects with information on the processing of their personal data, which will be carried out in accordance with the principles of fairness, lawfulness, transparency, and protection of confidentiality and of your personal rights, in compliance with the applicable laws and regulations.
Nature and type of data collected
In the course of our business, we process ordinary personal data relating to customers, prospective customers and suppliers, or to contact persons within companies or organizations belonging to these categories with whom we have commercial and professional relationships. Most of the personal data we collect and use is provided directly by the data subjects; other personal data we process may come from public sources. Among the data processed, we use essential contact information such as first and last name, email address, phone numbers, workplace location and address, role in the company or job position, and information about the data subject’s economic activity. In addition, we may obtain other personal data from sales or purchase contracts, business cards, websites and Social Media profiles, digital or printed publications, or directly from individuals during ordinary professional interactions. For these data subjects, we process only ordinary personal data and not special/sensitive data as per Article 9.
Purposes and legal basis of processing
Data will be processed for the following purposes connected with the fulfilment of legal obligations or contractual requirements, or for the performance of obligations related to contractual or pre-contractual measures:
- Proper and complete performance of contracts with customers and suppliers;
- Fulfilment of mandatory legal obligations;
- Management of relationships with customers and suppliers and their contact persons;
- Supply of the contracted products or services;
- Management of purchases and sales and planning of work activities;
- Retention of sales and purchase documents and documents relating to the data subjects.
Providing data that are mandatory for compliance with legal or contractual obligations is necessary: failure to provide, or incorrect provision of, the processed data may make it impossible for the Data Controller to ensure the appropriateness of the processing and to achieve the purposes for which the data are used.
On the basis of the Data Controller’s legitimate interest, the Data Controller may also use the data for the following purposes:
- Direct marketing activities to provide information and updates on products and services;
- Quality management and measurement of customer and supplier satisfaction;
- Exercise of the defence of the Data Controller or third parties, including in legal proceedings;
- Dispute management and/or debt collection.
Methods of processing
Personal data will be processed by manual and IT procedures, in compliance with the principles set out in Articles 5 and 6 of the Regulation and through the adoption of appropriate security measures pursuant to Article 32. Data will be processed only by personnel authorized and instructed by the Data Controller pursuant to Article 29, or also by third parties acting as Data Processors for the relevant processing activities pursuant to Article 28 of the Regulation.
Disclosure of data
For the indicated purposes, personal data will be disclosed exclusively to parties competent to provide the necessary services, with safeguards to protect the data subject’s rights:
- Internal company staff;
- Companies, consultants or other third parties, including in associated form, for services functional to our activities;
- Private and/or public entities to whom disclosure is required by law;
- Transport companies, logistics companies, postal services;
- Banks, insurance companies, commercial information companies, credit information companies, or debt collection companies.
Further information on the parties to whom data may be disclosed will be provided to data subjects when exercising their rights pursuant to Article 15 of the Regulation. Processed personal data will not be disseminated in any way and will not be transferred outside Europe.
Retention
In compliance with the principles of lawfulness, purpose limitation and data minimization, the retention period of your personal data is set for a period not exceeding what is necessary to achieve the purposes for which they are collected and processed; in particular, data will be retained for the duration of the contractual or commercial relationship with the data subject or their organization, subject to any legal obligations for the retention of tax documents or documents having legal value.
European Regulation (EU) 2016/679 – Articles 15 to 22 – Data subject’s rights
The data subject has the right to obtain confirmation as to whether or not personal data concerning them exist, even if not yet recorded, and to receive such data in an intelligible form. The data subject has the right to obtain information on:
- the origin of the personal data;
- the purposes and methods of processing;
- the logic applied in the case of processing carried out with the aid of electronic tools;
- the identity details of the Data Controller, the Data Processors and the representative designated pursuant to Article 5(2);
- the subjects or categories of subjects to whom personal data may be disclosed or who may become aware of them as designated representative in the territory of the State, or as data processors or authorized persons.
The data subject has the right to obtain:
- updating, rectification or, where interested, completion of data;
- erasure, anonymization or blocking of data processed unlawfully, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
- certification that the operations referred to in points (a) and (b) have been notified, also as regards their contents, to those to whom the data have been disclosed or disseminated, except where such fulfilment proves impossible or involves a manifestly disproportionate effort compared to the protected right;
- data portability.
The data subject has the right to object, in whole or in part:
- on legitimate grounds, to the processing of personal data concerning them, even if relevant to the purpose of collection;
- to the processing of personal data concerning them for the purpose of sending advertising material or direct selling or for carrying out market research or commercial communication.
To exercise their rights, the data subject must contact the Data Controller:
C.I.M.E.S. SpA – via R. Guastalla 4, 46029 Suzzara (MN) – Mail: info@cimesgroup.it – PEC: cimes@legalmail.it. The data subject may also lodge a complaint, in the manner and within the time limits provided, with the Italian Data Protection Authority (Garante Privacy): please visit the website www.garanteprivacy.it for more information.
