PRIVACY NOTICE – Information notice pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)

1) WHO IS THE DATA CONTROLLER? HOW CAN IT BE CONTACTED?

The Data Controller is Boffi|DePadova S.p.A., with registered office at Via Oberdan no. 70, 20823 – Lentate sul Seveso (MB), Italy, represented by its Legal Representative pro tempore, who may be contacted by e-mail at privacy@boffi.com

HAS A DATA PROTECTION OFFICER BEEN APPOINTED? WHAT ARE THE CONTACT DETAILS?
Boffi|DePadova S.p.A. has appointed its Data Protection Officer (DPO) pursuant to Articles 37, 38 and 39 of the GDPR. The DPO’s contact detail is: e-mail dpo.boffi@dpoprofessionalservice.it

2) PERSONAL DATA PROCESSED AND THEIR SOURCE

Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements characteristic of his or her physical, physiological, genetic, mental, economic, cultural or social identity.

CATEGORIES OF DATA PROCESSED: data relating to customers (including leads and prospects) and suppliers will be processed, connected with contractual and/or pre-contractual relationships, therefore including identification data (such as name, surname, tax code and VAT number, domicile), contact data (such as telephone number and e-mail address), tax, economic, financial and banking data.

SOURCE: data relating to the contractual and pre-contractual relationships of customers and suppliers of Adielle S.r.l. and De Padova S.r.l. originate from De Padova S.r.l. and/or Adielle S.r.l., which were merged into Boffi S.p.A., subsequently changing its corporate name to Boffi|DePadova S.p.A., the new Data Controller as identified above.

3) PURPOSES OF PROCESSING, LEGAL BASIS, RETENTION PERIOD, NATURE OF DATA PROVISION

A) PERFORMANCE OF A CONTRACT OR FOR THE PURPOSE OF ENTERING INTO A CONTRACT AND COMPLIANCE WITH ADMINISTRATIVE, ACCOUNTING AND LEGAL OBLIGATIONS, related to the establishment, performance and termination of the contractual relationship.
Legal Basis. Performance of a contract or pre-contractual measures (C44). Article 6(1)(b) GDPR.
Retention Period. 10 years. Article 2220 of the Italian Civil Code, without prejudice to contractual and extra-contractual matters that may arise and to different legal obligations.
Nature of Data Provision. Necessary for the stated purposes. Failure to provide the required personal data will make it impossible to establish a contractual relationship with you.

B) MANAGEMENT OF LEGAL MATTERS, including out-of-court and judicial activities and legal defense in the event of proceedings.
Legal Basis. Legitimate interest of the Data Controller, provided that the interests or fundamental rights and freedoms of the data subject requiring protection of personal data do not prevail (C47–C50). Article 6(1)(f) GDPR.
Retention Period. 10 years, subject to objection and for the time necessary for legal defense.
Nature of Data Provision. Necessary for the stated purposes. Failure to provide the data will prevent the pursuit of the legitimate interest of the Data Controller referred to in this section. Any refusal shall be balanced against the legitimate interest of the Data Controller.

C) MANAGEMENT OF YOUR REQUESTS AS A DATA SUBJECT and of requests from other data subjects, pursuant to Articles 15 et seq. of the GDPR (data subject rights).
Legal Basis. Compliance with a legal obligation to which the Data Controller is subject (C45). Article 6(1)(c) GDPR.
Retention Period. 5 years from the closure of the request, unless disputes arise.
Nature of Data Provision. Mandatory, as it is essential in order to comply with legal obligations.

D) MANAGEMENT CONTROL, aimed at guiding management towards the achievement of objectives set during operational planning, by measuring specific indicators, identifying deviations between planned objectives and achieved results and informing the competent bodies so that appropriate corrective actions may be decided and implemented.
Legal Basis. Legitimate interest of the Data Controller, provided that the interests or fundamental rights and freedoms of the data subject do not prevail (C47–C50). Article 6(1)(f) GDPR.
Retention Period. Maximum 10 years, subject to objection.
Nature of Data Provision. Necessary for the stated purposes. Failure to provide the data will prevent the pursuit of the legitimate interest of the Data Controller referred to in this section. Any refusal shall be balanced against the legitimate interest of the Data Controller.

E) SUPPLIER EVALUATION, through identification data, company presentations or job profiles.
Legal Basis. Legitimate interest of the Data Controller, provided that the interests or fundamental rights and freedoms of the data subject do not prevail (C47–C50). Article 6(1)(f) GDPR.
Retention Period. Maximum 3 years.
Nature of Data Provision. Necessary for the stated purposes. Failure to provide the data will prevent the pursuit of the legitimate interest of the Data Controller referred to in this section. Any refusal shall be balanced against the legitimate interest of the Data Controller.

F) DIRECT MARKETING, for the sending of advertising or direct sales material or for carrying out market research, satisfaction surveys or commercial communications and newsletters via automated means (e-mail). In order to compare and possibly improve communication results, the Data Controller may use newsletter delivery systems with reporting tools, enabling it to know, by way of example: the number of readers, openings, unique clicks and total clicks; the devices and operating systems used to read the communication; details on the activity of individual users; details of emails sent, delivered, undelivered and forwarded. All such data are used for the purpose of comparing and possibly improving communication results.
Legal Basis. Consent to the processing of personal data (C42, C43). Article 6(1)(a) GDPR.
Retention Period. Until consent is withdrawn (opt-out).
Nature of Data Provision. Failure to provide the required data will make it impossible to receive direct marketing communications.

G) MANAGEMENT OF INFORMATION FLOWS PROVIDED FOR BY THE ORGANISATIONAL, MANAGEMENT AND CONTROL MODEL (MOGC) adopted pursuant to Legislative Decree 231/2001 and aimed at preventing the liability of entities for administrative offences arising from criminal acts. In particular, data will be collected in order to enable the Supervisory Body (OdV) to monitor the functioning of and compliance with the MOGC.
Legal Basis. Compliance with a legal obligation to which the Data Controller is subject (C45). Article 6(1)(c) GDPR.
Retention Period. Maximum 10 years from the time the Supervisory Body receives the information flows provided for by the MOGC.
Nature of Data Provision. Mandatory, as it is essential in order to comply with legal obligations (Article 6(2) Legislative Decree 231/2001).

4) TO WHOM WILL PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS

Personal data will be disclosed to entities processing data as independent Data Controllers or as Data Processors (Article 28 GDPR) and processed by natural persons (Article 29 GDPR) acting under the authority of the Data Controller and the Data Processors on the basis of specific instructions regarding the purposes and methods of processing. Data will be disclosed to recipients based in Italy belonging to the following categories:

  • affiliated companies
  • entities based in Italy that manage/support/assist, even occasionally, the Data Controller in the administration of the IT system and telecommunications networks (including e-mail, web platforms and cloud services)
  • newsletter and CRM platform providers, subject to consent
  • entities provided for by applicable accounting and tax legislation as recipients of mandatory communications
  • banking, insurance and similar institutions
  • entities providing customer and supplier management platforms
  • entities with whom the Data Controller has entered into economic agreements
  • firms or companies providing tax consultancy and administrative/accounting assistance
  • commercial information companies for creditworthiness and payment behavior assessment and/or entities for debt collection purposes
  • entities and members of the Supervisory Body pursuant to Legislative Decree 231/2001
  • competent authorities for compliance with legal obligations and/or provisions of public bodies, upon request

The list of Data Processors pursuant to Article 28 GDPR is available by writing to privacy@boffi.com

5) IS THERE A TRANSFER OF DATA TO A NON-EEA COUNTRY?

Personal data will be stored in Italy. Data transfers to non-EEA countries may take place in the event that the Data Controller uses providers of assets necessary for carrying out the company’s activities that are located outside the EEA and/or transfers data to companies belonging to the Boffi|DePadova group, provided that they are located outside the EEA. In such cases, the Data Controller ensures that the transfer takes place in accordance with the safeguards provided for by Articles 44 et seq. of the GDPR. For further information, the data subject may write to: privacy@boffi.com

6) IS THERE AN AUTOMATED PROCESS?

Personal data will be processed using traditional manual, electronic and automated means. It is specified that no fully automated decision-making processes are carried out.

7) RIGHTS OF DATA SUBJECTS

Data subjects may exercise their rights as set out in Articles 15 et seq. of the GDPR by contacting the DPO at the e-mail address: dpo.boffi@dpoprofessionalservice.it or by contacting the Data Controller at privacy@boffi.com. The Data Controller guarantees data subjects the right to request, at any time, access to their personal data (Article 15), rectification (Article 16), erasure (Article 17), and restriction of processing (Article 18). The Data Controller shall notify (Article 19) each recipient to whom personal data have been disclosed of any rectification, erasure or restriction of processing carried out. The Data Controller shall inform data subjects, upon request, of such recipients. The Data Controller guarantees the right to data portability (Article 20) and, in the event of requests pursuant to Article 20, will provide data in a structured, commonly used and machine-readable format. Data subjects have the right to object (Article 21), at any time, to processing based on legitimate interest, by writing to the above contact details with the subject “objection”. In the event of the exercise of the right to object, data subjects may request information on the balancing test carried out. Data subjects have the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent before its withdrawal. To no longer receive automated direct marketing communications, data subjects may write an e-mail to dpo.boffi@dpoprofessionalservice.it with the subject “unsubscribe from automated communications” or use the automatic unsubscribe systems provided for e-mails only (opt-out). If data subjects believe that the processing of their personal data by the Data Controller infringes Regulation (EU) 2016/679, they may lodge a complaint with the competent national supervisory authority, in particular in the Member State of their habitual residence or place of work, or where the alleged infringement occurred (Italian Data Protection Authority – Garante Privacy https://www.garanteprivacy.it/), or bring the matter before the competent judicial authorities.

8) CHANGES TO THE PRIVACY NOTICE

The Data Controller may change, amend, add to or remove any part of this Privacy Notice. In order to facilitate verification of any changes, the notice will indicate the date on which it was last updated.

Join our newsletter

Boffi | DePadova S.p.a. Via Oberdan 70, 20823 Lentate sul Seveso (MB), Italia.

Capitale Sociale Euro 10.800.000 I.V. Registro imprese di Milano Monza e Brianza Lodi C.F. 0969630156 R.E.A. MB-1860653 P.Iva IT 02642250969