PRIVACY NOTICE PURSUANT TO ART. 13 OF EU REGULATION 2016/679
for the advertising and promotional activities carried out by the Companies controlled by, affiliated with or otherwise associated with Syneto (hereinafter also: “Syneto Group”), as Joint Controllers of the processing pursuant to art. 26 of the GDPR, towards partners, distributors, resellers, customers and their contact persons
For us, data protection is a very serious matter; we therefore wish to inform you about how your data is processed and about the rights you may exercise under the current data protection legislation, in particular EU Regulation 2016/679 (hereinafter also: “GDPR”).
This notice concerns the advertising and promotional activities towards partners, distributors, resellers, customers and their contact persons, whose data is collected by the Companies of the Syneto Group indicated below, as Joint Controllers, also separately and depending on the circumstances, at trade fairs, conferences, events, commercial meetings or in the context of the existing contractual – commercial relationships.
For the processing activities not detailed in this notice and relating to the categories of data subjects mentioned above, please refer to the privacy notices issued by each Company in the context of the relationships maintained with those subjects.
1. Joint Controllers* and Data Protection Officers (DPO)
Joint Controller 1 Syneto S.p.A. Via Cefalonia no. 70 25124, Brescia (BS), Italy E-mail contact: [email protected] Joint Controller 2 Syneto Iberica S.L. Calle Antonio Arias no. 6 28009, Madrid (Spain) E-mail contact: [email protected] Joint Controller 3 Syneto S.R.L. No. 2 Martin Luther, Entrance A, 4th floor Timișoara (Romania) E-mail contact: [email protected] Joint Controller 4 Orizon S.r.l. Via Cefalonia no. 70 25124, Brescia (BS), Italy E-mail contact: [email protected] Joint Controller 5 Orizon Cyber Security S.L. Calle Rodríguez San Pedro no. 2, Oficina 514 28015, Madrid (Spain) E-mail contact: [email protected] |
Data Protection Officer (DPO) for Joint Controller 1 Atty. Vera Cantoni Address for the assignment: Via F. Turati no. 26, 20121, Milan (MI) E-mail: [email protected] Data Protection Officer (DPO) for Joint Controller 2 Valentina Orsorio Address for the assignment: Antonio Arias, no. 6, Country: SPAIN, City: Madrid, Province: Madrid, Postal code: 28009 E-mail: [email protected] Data Protection Officer (DPO) for Joint Controller 3 Ionel Orza Address for the assignment: city of Tg. Mureș, Via Cuza Vodă no. 61, Apt. 1, province of Mureș, Postal code 540036 E-mail: [email protected] |
* The essential content of the joint controllership agreement is available to data subjects upon explicit request.
2. Categories of data subject to processing
The categories of “personal data” (pursuant to Art. 4.1 of the GDPR) processed by the Joint Controllers may be, by way of example only but certainly not exhaustively:
- Personal and identifying data (such as, for example, first and last name, date of birth, place of birth, nationality, tax code, VAT number, etc.);
- Contact data (such as, for example, address, e-mail address, IP address, telephone number, etc.);
- For legal representatives, contact persons and employees of Companies or Entities, data relating to the role held within the Company or Entity.
3. Lawfulness and purposes of the processing
The processing of personal data is carried out in compliance with the provisions of the General Data Protection Regulation (GDPR) and any other applicable data protection legislation. Details are provided below:
3.1 Purposes covered by the data subject's consent (pursuant to art. 6, paragraph 1 (a) of the GDPR)
a. Performance by the Joint Controllers, operating in the IT sector, of advertising or promotional activities, in the broadest sense of the term (for example, sending newsletters and informational material, brochure requests, organisation of events, etc.) and of further marketing activities, through automated contact methods (for example: calls without an operator, e-mails, SMS and various messaging systems, including instant and internet-based ones, also to mobile phones) and non-automated methods (sending of paper mail and calls with an operator);
b. Performance by the Joint Controllers, operating in the IT sector, of market research and surveys (by way of example, carrying out market studies and statistical analyses regarding the degree of satisfaction, through automated contact methods (for example: calls without an operator, e-mails, SMS and various messaging systems, including instant and internet-based ones, also to mobile phones) and non-automated methods (sending of paper mail and calls with an operator).
The retention period of personal data, in relation to the purpose set out in this section, is:
For purposes: a, b, 24 months from the granting of consent, unless revoked.
4. Recipients or categories of recipients of personal data (pursuant to art. 13 paragraph 1 (e) of the GDPR) *
Each Joint Controller may communicate your data to:
- Internal offices and functions of each Joint Controller;
- Companies and professional operators that provide IT services, including electronic data processing, software and cloud management, website management and IT consultancy;
- Qualified professionals for the purpose of studying and resolving any legal and contractual issues, including lawyers and tax advisors;
- Marketing and communication companies and agencies, as well as IT, mailing and hosting service providers and software platforms used for the management of promotional campaigns and communications (including CRM systems);
- Transport companies, postal couriers and companies that carry out enveloping and shipping activities of the communications indicated above;
- Public Administrations, competent Authorities, public Bodies and Agencies in the context of the performance of their institutional duties.
* The complete and updated list of Recipients (pursuant to art. 4.9 of the GDPR) is available from each Joint Controller of the personal data processing at the contact details indicated above.
5. Recipients or categories of recipients of personal data (pursuant to art. 13 paragraph 1 (f) of the GDPR) * and transfer of data to non-EU Countries
The Joint Controllers inform you that they have no intention of transferring your data to countries outside the EU and the EEA for the purposes indicated above.
* The updated list of adequate non-EEA countries deemed adequate by the European Commission may be obtained on the website: Adequacy decisions (europa.eu)
6. Rights of the Data Subject (pursuant to art. 13 paragraph 2 (b) of the GDPR)
The data subject may exercise the following rights:
- right of access of the data subject [art. 15 of the EU Regulation] (the possibility to be informed about the processing carried out on their Personal Data and, where applicable, to receive a copy of it);
- right to rectification of one's Personal Data [art. 16 of the EU Regulation] (the data subject is entitled to the rectification of inaccurate personal data concerning them);
- right to erasure of one's Personal Data without undue delay (“right to be forgotten”) [art. 17 of the EU Regulation] (the data subject has, and will have, the right to the erasure of their data);
- right to restriction of processing of one's Personal Data in the cases provided for by art. 18 of the EU Regulation, including in the case of unlawful processing or of the data subject contesting the accuracy of the Personal Data [art. 18 of the EU Regulation];
- right to data portability [art. 20 of the EU Regulation], the data subject may request their Personal Data in a structured format in order to transmit them to another controller, in the cases provided for by the same article;
- right to object to the processing of one's Personal Data [art. 21 of the EU Regulation] (the data subject has, and will have, the right to object to the processing of their personal data);
- right not to be subject to automated decision-making, [art. 22 of the EU Regulation] (the data subject has, and will have, the right not to be subject to a decision based solely on automated processing).
Further information regarding the rights of the data subject may be obtained by requesting from the Joint Controllers a full extract of the articles mentioned above.
With regard to the purposes for which consent is required, the Data Subject may withdraw their consent at any time and the effects shall take effect from the moment of withdrawal, without prejudice to the terms provided for by law. As a general rule, the withdrawal of consent has effect only for the future.
The above-mentioned rights may be exercised in accordance with the provisions of the Regulation by sending, among other things, an e-mail to the address: [email protected].
In compliance with art. 19 of the EU Regulation, the Joint Controllers shall inform the recipients to whom the personal data has been communicated of any rectifications, erasures or restrictions of processing requested, where this is possible.
To allow a faster response to your requests made in the exercise of the rights indicated above, the same may be addressed to each Joint Controller, by sending them to the contact details indicated in point 1.
7. Right to lodge a complaint (pursuant to art. 13 paragraph 2 (d) of the GDPR)
The data subject, if they consider that their rights have been compromised, has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), in accordance with the procedures indicated by the same Authority at the following Internet address http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 or by sending a written communication to the Italian Data Protection Authority.
8. Possible consequences of the failure to provide data and nature of the provision of data (pursuant to art. 13 paragraph 2 (e) of the GDPR)
8.1 In the case of the data subject's consent
For the purposes for which consent is required, the Data Subject may withdraw their consent at any time and the effects shall take effect from the moment of withdrawal, without prejudice to the terms provided for by law. As a general rule, the withdrawal of consent has effect only for the future. Therefore, the processing carried out before the withdrawal of consent shall not be affected and shall retain its lawfulness.
The failure to provide consent or the partial provision of consent (or its withdrawal) may not guarantee the full provision of the services or activities, with reference to the individual purposes for which consent is denied, and shall not constitute prejudice or impediment to the other purposes (and to the activities connected with them) not involved or expressly affected by the denial of consent or not based on such legal basis.
When the data is no longer necessary, taking into account the retention periods indicated above, it is regularly deleted. Should deletion prove impossible or only possible through a disproportionate effort due to a particular method of retention, the data may not be processed and must be archived in non-accessible areas.
9. Absence/Existence of a fully automated decision-making process pursuant to art. 22 of the GDPR
The use of purely automated decision-making processes as detailed in article 22 of the GDPR is currently excluded. Should it be decided in the future to introduce such processes for individual cases, the data subject will receive separate notice thereof where this is required by law, or through an update of this notice.
10. Methods of processing
Personal data will be processed in paper, computerised and telematic form and entered into the relevant databases, which may be accessed, and therefore known, by the staff expressly designated by each Joint Controller as Processors and Authorised Persons for the processing of personal data, who may carry out consultation, use, processing, comparison and any other appropriate operation, including automated ones, in compliance with the legal provisions necessary to guarantee, among other things, the confidentiality and security of the data as well as the accuracy, updating and relevance of the data in relation to the declared purposes.
This notice and subsequent updates are published on the websites of each Joint Controller (https://syneto.eu/ and https://orizon.one/) .