Privacy Customers
Policy pursuant to and for the purposes of Article 13 of Regulation (EU) 2016/679 (GDPR) and Article 130 of the Privacy Code
| 1. WHO IS THE DATA CONTROLLER? HOW TO CONTACT THE DATA CONTROLLER? The Data Controller is COSTRUZIONI ELETTROTECNICHE CEAR S.R.L., with registered office at Via Monza 102 – 20060 Gessate (MI), in the person of its Legal Representative pro-tempore, who may be contacted for any information by calling +39 02 9292901 or emailing info@cearsistemi.it. |
| 2. PRINCIPAL DEFINITIONS Personal Data – any information regarding an identified or identifiable natural person (“Data Subject”), with a natural person is considered identifiable if they can be directly or indirectly identified with particular reference to an identifier such as a name, an identification number, data related to their place of dwelling, an online identifier or one or more elements characteristic of their physical, physiological, genetic, psychic, financial, cultural or social identity; Contractor/User Data: – “Contractor” means any natural person, legal person, entity or association party to a contract with a provider of publicly-available electronic communications services for the provision of such services or otherwise a recipient of such services through prepaid cards; – “User” means any natural person who avails of an electronic communication service accessible to the public, for private or commercial reasons, without necessarily having subscribed thereto. |
3. PURPOSE OF THE PROCESSING, LEGAL BASIS, RETENTION PERIOD, NATURE OF THE DATA PROVISION
| PURPOSE OF PROCESSING | LEGAL BASIS | DATA RETENTION PERIOD | NATURE OF DATA PROVISION | |
| A) | Fulfilment of contractual obligations and administrative, accounting and legal purposes related to the establishment, execution and termination of the contractual relationship. | The processing of data is necessary for the execution of a contract (C44). Article 6(1)(b) of the GDPR. | 10 years. Article 2220 of the Italian Civil Code, except for contractual and non-contractual matters that may arise and unless otherwise required by law. | The conferment of personal data is necessary for contractual purposes. Failure to provide the necessary personal data shall render it impossible to establish a contractual relationship with Data Subjects. |
| B) | Direct marketing, automated “soft-spam” via email: for the purposes of direct sales of its products or services, the Data Controller will use the email coordinates provided by the Data Subject in the context of the sale of a product or service, without requesting the consent of the Data Subject, for promotional and commercial communications and newsletters on services similar to those being sold and the Data Subject, adequately informed, does not refuse such use, initially or on the occasion of subsequent communications. At the time of collection and on the occasion of sending any communication made for the purposes referred to in this paragraph, the Data Subject is informed of the possibility of opposing the processing at any time, in an easy and free manner. | The processing is necessary for the pursuance of the legitimate interests of the Data Controller or third parties, on condition that they do not impinge on the interests or rights and fundamental freedoms of the Data Subject, requiring the protection of the Personal Data (C47-C50). Article 6(1)(f) of the GDPR and Article 130(4) of Legislative Decree 196/2003. | Until opposition (opt-out). | The conferment is optional. Failure to provide the necessary data shall render it impossible to receive direct marketing communications via email (soft-spam). |
| C) | Preventing and conducting disputes and other legal matters and for defence in court. | The processing is necessary for the pursuance of the legitimate interests of the Data Controller or third parties, on condition that they do not impinge on the interests or rights and fundamental freedoms of the Data Subject, requiring the protection of the Personal Data (C47-C50). Article 6(1)(f) of the GDPR. | 10 years, unless opposed and without prejudice to the time necessary for defence in court. | The provision of personal data is required. Failure to provide the data shall prevent the achievement of the legitimate interest of the Data Controller indicated in the purposes of this point. The refusal must be balanced with the legitimate interest of the Data Controller indicated in the purposes of this point. |
| D) | Management of requests regarding the protection of personal data and requests from other Data Subjects, pursuant to Articles 15 and following of the GDPR (Rights of the Data Subject). | The processing is necessary for compliance with a legal obligation to which the controller is subject (C45). Article 1(c) of the GDPR. | 5 years from the closure of the request, except in the event of litigation. | The provision of personal data is mandatory, as it is essential to be able to execute the obligations of the Law. |
| E) | Management control aimed at guiding management towards the achievement of the objectives established during operational planning, measuring appropriate indicators to detect any deviation between planned objectives and achieved results, informing the responsible bodies of any such deviations, so that they may decide and implement the appropriate corrective actions. | The processing is necessary for the pursuance of the legitimate interests of the Data Controller or third parties, on condition that they do not impinge on the interests or rights and fundamental freedoms of the Data Subject, requiring the protection of the Personal Data (C47-C50). Article 6(1)(f) of the GDPR. | Maximum 10 years, unless opposed. | Data collection is necessary to allow the Data Controller to exercise management control. Failure to provide the data shall prevent the achievement of the legitimate interest of the Data Controller indicated in the purposes of this point. The refusal must be balanced with the legitimate interest of the Data Controller indicated in the purposes of this point. |
| 4. TO WHOM WILL PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS The data will not be disseminated. Personal data will be communicated to subjects who shall process the data as autonomous Data Controllers or Data Processors (Article 28 GDPR) and will be processed by natural persons (Article 29 GDPR) acting under the authority of the Data Controller and Data Processors on the basis of specific instructions provided regarding the purposes and methods of processing. The data will be communicated to recipients belonging to the categories of: – Subjects based in Italy who manage/support/assist, even only occasionally, the Data Controller in the administration of the Information System and telecommunications networks (including email, websites and/or web platforms); – Entities based in Italy envisaged under current accounting and tax legislation as recipients of mandatory communications; – Banking and equivalent institutions based in Italy; – Subjects based in Italy with whom the Data Controller has entered into economic agreements; – Firms or companies based in Italy providing tax assistance and consultancy and administrative/accounting management; – Bodies and companies for certifications, based in Italy; – For direct marketing, subjects for the management of marketing and communications activities, based in Italy; – Competent authorities for fulfilment of legal obligations and/or provisions of public bodies, on request. The list of Data Processors per Article 28 is available by writing to info@cearsistemi.it or to the other addresses indicated above. |
| 5. IS DATA TRANSFERRED TO COUNTRIES OUTSIDE THE EEA? Personal data will not be transferred to non-EEA countries. In particular, it should be noted that the data will be stored in Italy and that the data recipients are based in Italy. |
| 6. IS THERE ANY AUTOMATED PROCESSING? Personal data will be subject to traditional manual, electronic and automated processing. It is noted that fully-automated decision-making processes are not conducted. |
| 7. RIGHTS OF DATA SUBJECTS Data Subjects may assert their rights as expressed in Articles 15 et seq. of the GDPR, by contacting the Data Controller via the email address info@cearsistemi.it or by writing to the contacts indicated above. The Data Controller guarantees Data Subjects the possibility of requesting, at any time, access to (Article 15), correction of (Article 16) and erasure of (Article 17) their personal data, along with the limitation of processing (Article 18). The Data Controller then communicates (Article 19) to each of the recipients to whom the personal data has been transmitted regarding any corrections or erasures or limitations for the processing carried out. The Data Controller will inform the Data Subjects who request such recipients. The Data Controller guarantees the right to portability (Article 20) and, in the event of requests pursuant to Article 20, shall provide Data Subjects with the data in a structured, commonly-used and machine-readable format. Data Subjects have the right to oppose (Article 21), at any time, to the processing of data based on legitimate interest, by writing to the above contacts with the subject “Opposition”. If the right to object to the processing based on legitimate interest is exercised, the Data Controller acknowledges that the Data Subjects have the possibility to obtain upon request information on the balancing test carried out. To stop receiving automated direct marketing communications (email), Data Subjects are invited to email info@cearsistemi.it with the subject “Cancellation from Automated Communications” or to use the automatic cancellation systems provided for emails only (opt-out). If the Data Subjects consider that the processing of personal data carried out by the Data Controller is in violation of the provisions of Regulation (EU) 2016/679, they have the right to file a complaint with the National Supervisory Authority, in particular in the Member State in which they usually reside or work, or in the place where the alleged violation of the Regulation has occurred (Supervisory Authority – Privacy – https://www.garanteprivacy.it/), or to bring about the appropriate legal proceedings. |
| 8. POLICY CHANGES The Data Controller may change, modify, add or remove any part of this Privacy Policy.In order to facilitate the verification of any changes, the Policy shall contain details regarding the date of updates to the Policy itself. |
Updated on: 06.05.2025
