Information notice on the processing of personal data of EuroGroup network users pursuant to art. 13 and 14 GDPR
DATA CONTROLLER
The data controller is the party who decides how personal data collected is to be used and for what purposes.
For the processing activities referred to in this information notice, each Group company acts as an autonomous data controller.
The drafting of a single processing notice is therefore exclusively linked to an organisational simplification of the Group: in fact, there is no joint-controllership between the Companies.
E.M.S. EURO MANAGEMENT SERVICES S.p.A.
via Trivulzio, 1, 20146 Milan, Italy
EUROGROUP LAMINATIONS S.p.A.
via Stella Rosa 48/50, 20021 Baranzate (MI) Italy
CORRADA S.p.A.
via Michelangelo Buonarroti 8, 20020 Lainate (MI) Italy
EUROTRANCIATURA S.p.A. Società Unipersonale
via Stella Rosa 48/50, 20021 Baranzate (MI) Italy
EUROSLOT TOOLS S.r.l.
via De Gasperi 10, 20066 Melzo (MI), Italy
SAF S.p.A.
via Industriale 14 - 25080 Muscoline (BS), Italy
E-mail: [email protected]
Each of which is hereinafter also referred to as “Company” or “Controller”.
DPO
The DPO is the subject designated by the data controller who supports the data controller in monitoring compliance with the GDPR, raising awareness and information, and other activities required by law, and acts as a point of contact for data subjects and the Supervisory Authority.
E-mail: [email protected]
PERSONAL DATA
“Personal data” is any information concerning an identified or identifiable natural person (defined as “data subject”); a natural person who can be identified, directly or indirectly, is considered identifiable. Personal data may be common (such as name, surname, e-mail address, IBAN, etc.) or special (data that, by its very nature, requires special protection).
Personal data processed pursuant to this information notice (“Data”) are personal and contact data – by way of example but not limited to, first name, last name and e-mail address – requested at the time of user registration in the Internet access portal, as well as navigation tracking data required to carry out the necessary checks on the proper functioning of the information systems and the appropriate use of the network.
PURPOSES OF THE PROCESSING
The data provided are processed for the various purposes indicated in this column: these specify the purpose of the processing. Each purpose is associated with a legal basis for the processing and a retention period, shown to the right of the purpose.
LEGAL BASIS OF THE PROCESSING
The legal basis is the condition that makes the processing lawful; the legal bases are defined by the GDPR and are, by way of example, consent, performance of a contract, and fulfilment of a legal obligation. In this column, you can find the legal bases associated with each purpose.
DATA RETENTION PERIOD
Personal data may only be processed for the period of time necessary to achieve the purpose for which it was collected. In this column you can find an indication of the data retention time in relation to each processing purpose.
Purpose of verifying access to the corporate Internet network (so-called "guest network").
Execution of contractual and/or pre-contractual measures taken at your request, pursuant to Art. 6.1(b) GDPR.
Contractual term, and after termination, 1 year.
Monitoring navigation activities, in order to protect the Company from any undue use of the corporate network.
Legitimate interest of the Controller pursuant to Article 6.1(f) of the GDPR.
6 months from the collection of the data.
If necessary, to ascertain, exercise or defend the Controller's rights in court or out of court procedures.
Legitimate interest of the Controller pursuant to Article 6.1(f) of the GDPR.
For the entire duration of the litigation or out-of-court proceedings, until the time limits for appeal have been exhausted.
After the aforementioned retention periods have expired, the Data will be destroyed or anonymised, subject to technical cancellation and backup procedures and the accountability requirements of the Controller.
PURPOSES OF THE PROCESSING
The data provided are processed for the various purposes indicated in this column: these specify the purpose of the processing. Each purpose is associated with a legal basis for the processing and a retention period, shown to the right of the purpose.
LEGAL BASIS OF THE PROCESSING
The legal basis is the condition that makes the processing lawful; the legal bases are defined by the GDPR and are, by way of example, consent, performance of a contract, and fulfilment of a legal obligation. In this column, you can find the legal bases associated with each purpose.
DATA RETENTION PERIOD
Personal data may only be processed for the period of time necessary to achieve the purpose for which it was collected. In this column you can find an indication of the data retention time in relation to each processing purpose.
Purpose of verifying access to the corporate Internet network (so-called "guest network").
Execution of contractual and/or pre-contractual measures taken at your request, pursuant to Art. 6.1(b) GDPR.
Contractual term, and after termination, 1 year.
Monitoring navigation activities, in order to protect the Company from any undue use of the corporate network.
Legitimate interest of the Controller pursuant to Article 6.1(f) of the GDPR.
6 months from the collection of the data.
If necessary, to ascertain, exercise or defend the Controller's rights in court or out of court procedures.
Legitimate interest of the Controller pursuant to Article 6.1(f) of the GDPR.
For the entire duration of the litigation or out-of-court proceedings, until the time limits for appeal have been exhausted.
After the aforementioned retention periods have expired, the Data will be destroyed or anonymised, subject to technical cancellation and backup procedures and the accountability requirements of the Controller.
PROVISION OF DATA
For some processing purposes, it is necessary for you to provide your data, without which it would not be possible to pursue the purpose of the processing. For other purposes, provision might be optional.
The provision of data is necessary for the fulfilment of the aforementioned contractual purposes. Refusal to provide data will not allow the user to use the company's internet network.
AUTHORIZED SUBJECTS
Personal data protection legislation requires that the persons authorised to process personal data be identified and that they be given specific processing instructions.
Data may be processed by the employees of the company functions deputed to the pursuit of the aforementioned purposes, who have been expressly authorised to process the data and who have received adequate operating instructions pursuant to Article 29 of the GDPR and Article 2 quaterdecies of Legislative Decree 196/2003, as amended and adapted by Legislative Decree 101/2018.
DATA RECIPIENTS
In order to pursue the purposes of the processing indicated in this information notice, we may pass on some of your data to parties outside the Company, who act as data controllers and/or processors. A data processor is an entity that processes data on behalf of the data controller: the purposes and methods of processing are always decided by the data controller.
Data may be communicated to entities acting as data controllers, including in particular:
a. Companies of the Group;
b. Authorities and supervisory and control bodies (e.g. Revenue Agency, Guardia di Finanza).
Data may be processed on behalf of the data controller by parties designated as data processors, including, in particular, companies or professionals who provide support for the implementation and maintenance of the Group’s information system and applications. The full list of data processors is available, upon request, by contacting the e-mail address [email protected]
DATA TRANSFER TO NON-EU COUNTRIES
Personal data enjoy specific protections within the European Union. For this reason, the GDPR requires that data subjects be informed about any transfer of data outside the Union, which must be assisted by specific safeguards.
There are no transfers of data outside the European Union.
RIGHTS OF THE DATA SUBJECT AND COMPLAINT TO THE SUPERVISORY AUTHORITY
The GDPR grants several rights to the data subject, which must be made known by the data controller through the information notice on the processing of personal data, in a concise, transparent, intelligible and easily accessible form.
By contacting the Company at [email protected] or the DPO at [email protected] , data subjects may:
- request from the controller access to the data concerning them, their rectification if inaccurate, their integration or deletion;
- request the restriction of processing, in the cases provided for in Article 18 of the GDPR;
- object to the processing in the cases of legitimate interest of the data controller referred to in Art. 21;
- in the event that the processing is based on consent or contract and is carried out by automated means, receive the data in a structured, commonly used and machine-readable format, as well as, if technically feasible, transmit them to another data controller without hindrance (“right to data portability”);
- withdraw consent given at any time;
- lodge a complaint with the competent supervisory authority in the Member State in which he/she normally resides or works or in the State where the alleged infringement occurred.