according to Articles 13 and 14 of EU Regulation 2016/679
Dear Data Subject,
Datrix Group has always valued the protection of personal data of its customers and users.
Through this document (“Policy“), we intend to renew our commitment to ensure that the processing of personal data by any means is carried out in full compliance with the protections and rights recognized by Regulation (EU) 2016/679 (“GDPR” or “Regulation“) and other applicable rules on the protection of personal data.
The term personal data refers to the definition contained in the Article 4.1 of the Regulation, i.e. “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (the “Personal Data“).
The Regulation provides that, before processing – by this term should be understood, according to the relevant definition contained in the Article 4.2 of the Regulations, “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;” (the “Processing“) – Personal Data, it is necessary that the person to whom such Personal Data belongs is informed of the reasons for which such data is requested and how it will be used.
For this reason, this Policy – drafted based on the principle of transparency and all the elements required by Article 13 of the Regulations – aims to provide you, simply and intuitively, with all the useful and necessary information so that you can give your Personal Data in a conscious and informed way.
Any time, you can request and obtain clarifications or corrections.
A. DATA CONTROLLER AND JOINT CONTROLLER
Under Article 26 of the Regulations, the companies that will process your Personal Data for the purposes outlined in this Policy and that, therefore, will act as data controllers or joint controllers, are the companies belonging to the Datrix Group, specifically:
- Datrix S.p.A.
- 3rdPlace S.r.l.
- FinScience S.r.l.
- PaperLit S.r.l.
- ByTek S.r.l.
(individually the “Controller“, jointly “Datrix Group“).
The companies have their registered office in Foro Buonaparte n. 71, 20121 – Milano.
Datrix Group drafted an arrangement, through which the individual companies have committed themselves to jointly:
- determine specific purposes and methods of Processing your Personal Data;
- decide, clearly and transparently, the procedures to provide you with timely feedback should you wish to exercise your rights, as provided for in Articles 15, 16, 17, 18 and 21 of the Regulation as well as in the cases of portability of Personal Data provided for in Article 20 of the Regulation;
- define this Policy in the parts of common interest, indicating all the information provided by the Regulations.
The necessary content of the agreement is available at the Datrix Group available upon request to the contacts mentioned in Section G.
B. CONTACT DETAILS OF THE DATA PROTECTION OFFICER
To facilitate relations between you, as the Data Subject, and the Controllers, the Datrix Group has adopted the figure of the “Data Protection Officer”, identifying and appointing, according to Article 37 of the Regulation, SAPG Legal Tech S.r.l. (“DPO“).
The DPO, under and for Article 39 of the Regulation, is called upon to perform, among others, the following activities:
- advising the Datrix Group and the employees carrying out the Processing operations on the obligations arising from the Regulation as well as from other provisions of the Union or of the Member States relating to the protection of Personal Data;
- monitoring and supervising compliance with the Regulation, the applicable regulations on the protection of Personal Data and the policies and procedures adopted by the Datrix Group;
- provide support in the feedback to the Data Subject;
- cooperate with the competent Authority for the Protection of Personal Data.
According to Article 38 of the Regulations, you may freely contact the DPO for all matters relating to the Processing of your Personal Data and
C. PURPOSE AND LEGAL BASIS OF THE PROCESSING
The Datrix Group, to allow navigation and your registration to its websites (the “Website“) gather your Personal Data as well as navigation data (including through cookies), following the policies in the relative CMP that appear on the Websites when you first access them.
You can change your preferences on navigation cookies at any time by clicking on the cog located in the lower-left corner of the window.
Each Data Controller will conduct the Processing of your Personal Data to allow you to:
- get in touch with the company
- send requests for information
- apply for job positions
- download free resources
- use all the other services provided from time to time by the Website in which you are browsing
To allow the Data Controller to carry out the Processing it will be necessary to provide Personal Data marked as “mandatory”.
Such Processing will be lawful under Article 6.1, letter b) of the Regulations.
Suppose you fail to provide even one of the marked data. In that case, it will not be possible to process your Personal Data and, consequently, it will not be possible to respond to your requests and benefit from the services (provided through the Websites) for which you are required to provide Personal Data.
The Personal Data that will be requested from you for the pursuit of the above purposes will be those indicated in the registration and contact form, i.e., by way of example and without limitation: name, surname, e-mail address, telephone numbers of mobile users.
No Personal Data belonging to the particular categories referred to in Article 9 of the Regulations are processed.
In addition to the above purposes, your Personal Data may be processed to provide you with a better service and to promote products and services of your interest supplied and promoted by Datrix Group.
Concerning these purposes (including direct marketing), under Article 6.1 letter f) of the Regulation and Article 130 paragraph 4 of the Italian Privacy Code (so-called “soft spam exception”), the Datrix Group may carry out this activity based on their legitimate interest, regardless of your explicit consent and in any case up to your opposition or limitation (in accordance with the provisions of Section F, letter f). d) and f) of the Policy) to such Processing, as better explained in Recital 47 of the Regulation, in which it is “considered legitimate interest of the data controller to process personal data for direct marketing purposes”.
The choice mentioned above it is possible as a result of the assessments made by the Data Controller regarding the potential prevalence of your interests, rights and fundamental freedoms that require the protection of Personal Data over your legitimate interest in sending direct marketing communications.
Moreover, you may legitimately oppose the receipt of promotional communications at any time, without prejudice in any way to the Processing for other purposes.
D. SUBJECTS TO WHOM YOUR PERSONAL DATA MAY BE COMMUNICATED
Your Personal Data may be disclosed to specific entities the considered recipients of such Personal Data. Article 4, point 9) of the Regulation, defines as the recipient of a Personal Data “the natural or legal person, public authority, service or other body receiving communication of personal data, whether or not a third party” (the “Recipients”).
- third parties which carry out part of the Processing and activities connected and instrumental on behalf of a Data Controller or the Datrix Group. These subjects have been appointed as Data Processors, being understood individually by this expression, under Article 4 point 8) of the Regulation, “the natural or legal person, public authority, service or other body processing Personal Data on behalf of the Data Controller” (“Data Processor“);
- individuals, employees and collaborators of a Data Controller or of the Datrix Group, who have been entrusted with specific or multiple processing activities on your Personal Data. These individuals have been given specific instructions regarding the security and correct use of Personal Data and are defined, following Article 4 point 10) of the Regulation, as “persons authorized to process Personal Data under the direct authority of the Data Controller or the Data Processor” (the “Authorized Persons“).
Where required by law or to prevent or repress the commission of a crime, your Personal Data may be communicated to public bodies or judicial authorities without them being defined as Recipients. According to Article 4.9 of the Regulation, “public authorities that may receive communication of Personal Data in the context of a specific investigation in accordance with Union or Member State law are not considered Recipients”.
E. PROCESSING PERIOD
One of the principles applicable to the Processing of your Personal Data concerns the limitation of the period of storage, regulated by Article 5.1 letter e) of the Regulation which states that “Personal Data are stored in a form that allows the identification of the Data Subject for a time not exceeding the achievement of the purposes for which they are processed; Personal Data may be stored for longer periods provided that they are processed exclusively for purposes of archiving in the public interest, for scientific or historical research or statistical purposes, under Article 89, paragraph 1, without prejudice to the implementation of appropriate technical and organizational measures required by these Regulations to protect the rights and freedoms of the Data Subject”.
In light of this principle, your Personal Data will be processed by Datrix Group only to the extent necessary for the pursuit of the purpose set out in Section C of this Policy.
In particular, your Personal Data will be processed for a period of time equal to the minimum necessary, as indicated in Recital 39 of the Regulations, i.e. until the termination of the contractual relationship between you and the Data Controller, without prejudice to a further period of storage that may be imposed by law as also provided for in Recital 65 of the Regulations.
Concerning the Processing carried out to achieve the other purposes set out in this Policy, the Datrix Group may legitimately process your Personal Data until you communicate, in one of the ways set out in the Information Notice, your desire to limit or oppose the Processing. Any such limitation or opposition will, in fact, require the Datrix Group to stop processing your Personal Data for such purpose.
F. RIGHTS OF DATA SUBJECTS
As provided for by Article 15 of the Regulations, you may access your Personal Data, request its correction and updating, if incomplete or incorrect, request its deletion if it has been collected in violation of a law or regulation, and oppose its Processing for legitimate and specific reasons.
In particular, here below, you will find all the rights that you may exercise, at any time, against a Data Controller.
Right of access
You will have the right, according to Article 15.1 of the Regulations, to obtain confirmation from the Data Controller as to whether or not your Personal Data is being processed and, if so, to get access to such Personal Data and the following information: a) the purposes of the Processing; b) the categories of Personal Data in question; c) the Recipients or categories of Recipients to whom your Personal Data has been or will be communicated, in particular if Recipients from third countries or international organizations; d) when possible, the period of retention of the Personal Data envisaged or, if this is not possible, the criteria used to determine this period; e) the existence of the right of the Data Subject to ask the Data Controller to correct or delete Personal Data or to limit the Processing of Personal Data concerning him/her or to object to their Processing; f) the right to lodge a complaint with a supervisory authority; g) if Personal Data are not collected from the Data Subject, all available information on their origin; h) the existence of an automated decision-making process, including the profiling referred to in Article 22, paragraphs 1 and 4, of the Regulation and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such Processing for the Data Subject.
Right of rectification
You will be able to obtain, under Article 16 of the Regulations, the rectification of your Personal Data that is inaccurate. Taking into account the purposes of the Processing, you will also be able to obtain the integration of your Personal Data that is incomplete, even by providing an additional statement.
Right to cancellation
You may obtain, under Article 17.1 of the Regulations, the deletion of your Personal Data without unjustified delay and the Data Controller will be obliged to delete your Personal Data if there are even one of the following reasons:
- your Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed;
- you have revoked the consent on which the Processing of your Personal Data is based, and there is no other legal basis for its Processing;
- you have opposed the Processing under Article 21, paragraph 1 or 2, of the Regulations and there is no longer any prevailing legitimate reason to process your Personal Data;
- your Personal Data has been processed unlawfully; e) it is necessary to delete your Personal Data to comply with a legal obligation provided for by a Community or national law.
In some cases, as provided for by Article 17.3 of the Regulation, the Data Controller is entitled not to delete your Personal Data if their Processing is necessary.
For example, for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation, for reasons of public interest, for archiving in the public interest, for scientific or historical research or statistical purposes, for the ascertainment, exercise or defense of a right in court.
Right of Limitation of Processing
You will be able to obtain the limitation of the Processing, according to the Article 18 of the Regulations, in case one of the following hypotheses applies:
- you have challenged the accuracy of your Personal Data (the limitation will continue for the period necessary for the Controller to verify the accuracy of such Personal Data);
- the Processing is unlawful, but you have opposed the deletion of your Personal Data by requesting, instead, that its use be limited;
- although the Controller no longer needs it for the Processing, your Personal Data is used for discovering, exercising or defending a right in court;
- you have opposed the Processing under Articles 18 and 21.1 of the Regulations, and you are waiting for the verification of whether the legitimate reasons of the Data Controller prevail over your own.
In case of limitation of the Processing, your Personal Data will be processed, except for storage, only with your consent or to ascertain, exercise or defend a right in court or to protect the rights of another natural or legal person or for reasons of public interest. We will inform you, in any event, before such limitation is lifted.
Right to data portability
You may, at any time, request and receive, under Article 20.1 of the Regulations, all your Personal Data processed by the Data Controller in a structured, commonly used and readable format or request its transmission to another data controller without hindrance. In this case, it will be your responsibility to provide us with all the exact details of the new data controller to whom you intend to transfer your Personal Data by giving us written authorization.
Right of opposition
According to Article 21.2 of the Regulations and as also reiterated in Recital 70, you may object, at any time, to the Processing of your Personal Data if it is processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing.
Right to lodge a complaint with the supervisory authority
Without prejudice to your right to appeal in any other administrative or judicial venue, if you believe that the Processing of your Personal Data conducted by the Data Controller violates the Regulations and applicable law, you may complain at the competent Data Protection Authority.
To exercise all your rights as identified above, you shall contact the Datrix Group by sending an e-mail to email@example.com.
Please note that, at any time, you may also contact the Datrix Group’s DPO in the manner provided in Section B of this Policy.
H. PLACES OF PROCESSING
Your Personal Data will be processed by the Datrix Group within the territory of the European Union.
Should it be necessary, for technical and operational reasons, to make use of subjects located outside the European Union, we hereby inform you that such subjects will be appointed as Data Processors according to and for the purposes of Article 28 of the Regulation and the transfer of your Personal Data to such subjects, limited to the performance of specific processing activities, will be regulated in accordance with the provisions of Chapter V of the Regulation.
Therefore, all necessary precautions will be taken to ensure the fullest protection of your Personal Data, based on: (a) decisions of adequacy of the recipient third countries expressed by the European Commission; (b) adequate guarantees expressed by the recipient third party pursuant to Article 46 of the Regulation; (c) the adoption of binding corporate rules, so-called binding corporate rules; (d) the adoption of standard contractual clauses approved by the European Commission.
In any case, you may request further details from the Datrix Group if your Personal Data has been processed outside the European Union by requesting evidence of the specific guarantees adopted.