Type of data processed
Any information (e.g. name) concerning an identified or identifiable naturalperson, even indirectly, or information (e.g. tax code, picture) concerning aperson whose identity can nevertheless be ascertained by means of additionalinformation, is identified as personal data.
The currentlegislation identifies, among personal data, some special categories for whichprocessing is prohibited except for defined specific cases not covered by CREIVen.'s activity.
Thesespecial categories consist of personal data revealing racial or ethnic origin,political opinions, religious or philosophical beliefs, or trade unionmembership, as well as genetic data, biometric data intended to uniquelyidentify a natural person, data concerning the health or sex life or sexualorientation of the individual.
The dataprocessed by CREI Ven are, therefore, personal and do not belong to specialcategories, including, by way of non-exhaustive example, the following:
- name and surname
- email address
- date of birth
- place of birth
- phone number
Purpose of processing
The personaldata provided will be processed by CREI Ven for the purpose of perfecting thelegal relations inherent to the company's sphere of activity and the properfulfilment of the relevant obligations.
Specifically,the data are processed in order to enable the data subject to comply withcommercial, contractual, disclosure, administrative and accounting purposes(including the handling of complaints and litigation).
Scope of data circulation
In the eventof subcontracting certain activities entrusted to CREI Ven or the need to issuecertificates by other entities, personal data may be communicated to thirdparty companies, subject to prior agreement with the data subject.
Processing iscarried out by means of operations or series of operations for the collection,recording and organisation of data: processing, including modification,comparison/interconnection; use, including consultation and communication;storage; deletion. The data are kept and controlled by adopting suitablepreventive security measures aimed at minimising the risks of loss anddestruction, unauthorised access, processing that is not permitted and does notcomply with the purposes for which consent to collection is given. Processingis also carried out with the aid of electronic or automated means and isperformed directly by the Data Controller.
Communication of data
The personswho may become aware of the personal data, within the limits strictly necessaryto fulfil the above-mentioned purposes, are persons appointed by CREI Ven.
The datashall not be transferred outside the European Union. It is in any case understoodthat the Data Controller, should it become necessary for the execution of thecontract concluded and/or for the conclusion or execution of a contract enteredinto by the Data Controller with a third party in its favour, shall have theright, subject to the explicit consent of the data subject, to communicatehis/her data to subjects with offices in non-EU countries, even in the absenceof an adequacy decision by the European Commission due to the lack of anadequate level of data protection in said third country. In this case, thetransfer of data outside the EU will take place by entering into agreements, ifnecessary, that guarantee an adequate level of protection and/or by adoptingthe standard contractual clauses provided for by the European Commission.
The datasubject has the right to obtain a copy of his or her own data as specified inthe following paragraphs of this policy, in the manner indicated.
Provision of data and consequences of refusal
Theprovision of personal data, without prejudice to the autonomy of the personconcerned and to the compulsory nature of the data by law or Communityprovisions, is a strictly necessary condition for the conclusion of newrelationships and their consequent management and execution.
The DataController will keep the data of the data subjects in a form that allows themto be identified for a period of time not exceeding 10 years from the end oftheir working relationship with CREI Ven, in line with the provisions of theinternal accreditation rules, or for the different period provided for by therelevant regulations.
Rights of the data subject
The interested party has the right to:
9.1. Obtain confirmation of the existence or not of personal data concerning him, even if not yet recorded, and their communication in intelligible form.
9.2. Obtain the indication:
- the origin of the personal data;
- the purposes and methods of treatment;
- the logic applied in case of treatment with the aid of electronic instruments;
- the identity of the owner and manager;
- the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them.
- the updating, rectification or, when interested, the integration of data;
- the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
- certification that the operations in letters a) and b) have been notified, also as regards their contents, to those to whom the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate to the protected right.
9.4. Oppose, in whole or in part:
- for legitimate reasons, to the processing of personal data concerning him/her, even if pertinent to the purpose of collection;
- to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys;
9.5. Exercise the right to lodge a complaint with the Control Authority for any matter concerning the above mentioned data processing. Pursuant to Art. 16 to 22 GDPR the interested party may exercise:
- the right to rectification (art. 16),
- the right to be forgotten (deletion art. 17),
- the right to restriction of treatment (art. 18),
- the right to obtain from the Controller the notification to the recipients to whom the data have been transmitted of any rectification or cancellation or limitation of processing (art. 19),
- the right to portability (art. 20),
- the right to object (art. 21),
- the right to refuse the automated process (art. 22).
You are allowed to access your data to:
- Verify their veracity;
- Modify them if they become inaccurate;
- Integrate them also with integrative declaration;
- Request their cancellation;
- Limit their treatment;
- To oppose the treatment.
The interested party may revoke at any time the consent expressed in relation to the distinct purposes indicated above, except for the impossibility of continuing the business relationship as indicated and without prejudice to the processing of data previously acquired for the fulfillment of tax and fiscal obligations dependent on the contracts concluded.
The Data Controller, in compliance with the corresponding right of access to the data subject, has put in place procedures whereby data subjects may request the deletion of their personal data without undue delay or the restriction of the processing of their personal data for the following reasons:
- Because the data is no longer necessary for the purposes for which it was collected;
- Because the data subject has withdrawn consent;
- Because the data subject objects to the processing;
- Because the data are processed unlawfully.
How to exercise your rights
The data controller and processor is CREI Ven S.C.AR.L. - Corso Spagna, 12 - 35127 Padova, Italy, against whom the Customer may exercise his rights under Art. 7 of Legislative Decree 196/03 and Article 15 GDPR.