This Privacy Notice explains how PAT s.r.l. collects, processes and manages the personal data of its website visitors.

Introduction

The Regulation (EU) 2016/679 (“General Data Protection Regulation”, hereafter GDPR) includes measures for the protection of natural persons in relation to the processing of personal data. According to this regulation, the processing of personal data referring to a subject is based on principles of lawfulness, fairness and transparency as well as on the protection of confidentiality and the rights of the data subject. In compliance with the above-mentioned standards, we would like to inform you that, due to the relationship you have established as Customer with our Company, our Organization is in possession of some data related to you, which have been acquired verbally, directly or through third parties that carry out operations related to your person or aimed at satisfying your requests.
In accordance with the GDPR, data related to your person must be qualified as “personal data” and must therefore benefit from the protection provided by these provisions. Specifically, according to the above-mentioned legislation, you are the subject benefitting from the protection of your personal data.
Pursuant to articles 12 et seq. of the GDPR, our structure, as Data Controller, will process the personal data you provided us in compliance with the regulation and with the utmost care, by implementing procedures and effective management processes, in order to ensure the protection of your personal data. For that purpose, the Author undertakes to protect the transmitted information by using material and management procedures, in order to prevent unauthorized access or disclosure, as well as to maintain the accuracy of the data and also to ensure that they are used only in appropriate ways.

This online Privacy Note applies to the information we collect on this website only and not to other websites accessible to the user via links.

In accordance with this premise, we provide our Visitors following information:

 

Collected personal data

– The Author, in his capacity as Data Controller, uses personal data in order to better perform the own activities.

Therefore, you could be asked to provide some of the following personal data:

– personal data, such as tax identification code, VAT number, name and surname, registered office, main residence, domicile and contact details;
– Data relating to the contractual relationship describing the type of contract, as well as necessary information about its execution and its fulfilment;
– Accounting data relating to the economic relationship with the Company, the amounts due, payments and the summary of the accounting status of this relationship;
– Data to better define the relationship with our structure and to make our cooperation and operational efficiency more effective;
– Data related to your employees and/or coworkers, on your profession or on your Company.

 

Data retention periods

The collected data will be retained for the entire duration of your relationship/collaboration with our Organization and 10 years after the contractual relationship has ended. In the case that data not relating to the fulfilment of administrative and accounting obligations need to be collected in order to fulfill the signed contract, these data will be retained exclusively for the time necessary to achieve the purpose for which they were collected. After this period of time, they will be deleted. You will be specifically informed of the retention periods of such data as soon as they are collected.

 

Mandatory or optional nature of providing data and consequences of a refusal

– It is mandatory to provide the Author with essential data aimed at fulfilling the contractual relationship, as well as data necessary to fulfill legal obligations, such as regulations, Community and national legislation or provisions issued by authorities empowered to do so by law or by supervisory and control bodies.

Data non-essential for the fulfillment of the contractual relationship must be clearly defined as additional information and the provision of such data, if required, is optional. However, any refusal to provide such data will result in less efficiency of our relationship with third parties.

It will be mandatory to provide “sensitive data or data presenting specific risks”, in case that said data are essential to fulfill the contractual relationship or specific services and legal obligations. Since the processing of these personal data requires an explicit written consent given by the data subject (articles 9 and 10 GDPR), you will be asked to consent to their treatment.

 

Personal data processing methods

– Pursuant to and as an effect of article 12 et seq. of GDPR, we wish to inform you that the personal data you provide will be recorded, processed and stored in our paper and electronic archives in conformance with appropriate security measures dictated by the technical specifications in Annex B to the aforementioned legislative decree and the provisions of article 32 GDPR. The processing of your personal data may consist in any operation among those indicated in article 4 paragraph 1 point 2 GDPR.

Personal data will be processed directly and/or by delegated third parties through manual, digital and electronic tools as well as suitable procedures in order to guarantee their safety and confidentiality. To correctly manage the contractual relationship and fulfill legal obligations, personal data may be included in the Company’s internal documentation and, if necessary, in the records and registers compulsory by law.

 

Possible outsourced activities

– The Data Controller has the right to occasionally request other operators to perform certain services on his/her behalf, such as processing or similar services; services aimed at executing the requested operations or services; shipments and deliveries; accounting records; administrative activities; support services; professional services to manage projects, maintenance and ASM activities.

If the delegated operator is a Company that provides payment services, tax and treasury services, banking and brokerage, the following services could be performed: massive operations related to payments, bills, checks and other securities; transmission, enveloping, transport and sorting of communications; filing of documentation, detection of financial risks; fraud prevention; credit recovery. The above mentioned operators will receive only the information they necessary need in order to be able to provide the commissioned services and will be required to respect the confidentiality clause, which prohibits them to use the provided data for purposes other than those agreed upon. In accordance with article 28 GDPR, operators usually not appointed to processing personal data must be designated as Data Processors and must then process data only to the extent strictly necessary to provide the commissioned service and exclusively for such purpose. Furthermore, it’s up to them to ensure that their customers have signed a confidentiality agreement. In case of different situations not mentioned in this Privacy Note, the aforementioned subjects are required to provide specific information regarding the processing of their personal data.

Transfer of personal data abroad

– The data you provide will only be processed in Italy. In the case that, during the contractual relationship, your data need to be processed in a non-EU state, you will be promptly informed and still enjoy the rights guaranteed by the Community legislation.

Purposes of data processing

– The Author’s main purpose for processing your personal data is to regularly establish, enhance and correctly administrate the relationship specified in the introductory part of this Information Note.
In particular, the purposes of personal data processing are the following:

• Administrative/accounting procedures, in particular:
o Fulfillment of tax or accounting obligations;
o Customer management services (customer care management, contract administration, orders, shipments and invoices, solvency and reliability check)
o Litigation management (breach of contractual obligation, warnings, transactions, credit recovery, arbitration, legal disputes);
o Internal audit services (security and productivity control, service quality, integrity of the Company’s assets);
o Management of commercial and marketing activities (market analysis and research surveys);
o Promotional activities;
o Measurement of the customer’s satisfaction degree;
o Support service;
o Professional services for project development or maintenance activities
Personal data will be processed in order to fulfill legal, as well as administrative, insurance and tax obligations set out in the current legislation. Furthermore, the processing of personal data will aim at meeting accounting and commercial purposes, or at regularly fulfilling contractual and legal obligations in accordance with the legal relationship established with the subject. Furthermore, the data provided may also be used to contact the data subject during market researches about products or services, as well as during commercial campaigns. In any case, the subject has the right to refuse to give consent to data processing for said purposes and can indicate how he/she would like to be contacted or to receive commercial information.

Dissemination scope

– The following categories of designated persons may be entitled to have access to your personal data, since they have been appointed by the Company to process them:

• Employees/Coworkers employed in or working as:
o In internal protocol and administrative offices;
o In survey and customer support offices;
o In accountancy offices also responsible for invoices;
o In marketing departments;
o As customer’s satisfaction officers;
o In fraud prevention offices;
o In regional and local offices;
o As external co-workers assigned to the enveloping service;
o At the help desk;
o As developers operating in third-level help-desk services;
o As consultants employed in project development, maintenance and ASM activities;
o As employees required to be available on standby;
o As consultants appointed for consultancy, assistance or support service to our structure;
o As managers and administrators;
o As members of control bodies;
o As agents, sales representatives and distributors.
Other subjects may also be entitled to access personal data by virtue of an agreement with the Company as well as with the Author and as described in the paragraph “Personal data processing methods”. The Author can delegate to these subjects the fulfilment of certain obligations or of particular acts, by virtue of the relationship with the subject concerned.

Data communication and dissemination

– The Author is entitled to communicate your personal data to one or more specific external subjects in order to fulfill all the necessary legal and/or contractual obligations. In particular, your data may be disclosed to:

1. Other companies of the Zucchetti Group, including parent, subsidiaries and affiliated companies;
2. Public offices, government agencies and supervisory or control authorities in accordance with legal and/or contractual obligations;
3. Banking institutions and/or credit institutions responsible for the management of payments deriving from the contractual relationship;
4. The writing subject is entitled to communicate your personal data as follows:

• To subjects who have the right to access data under the provisions of law, regulations or EU legislation, within the limits foreseen by such norms;
• To subjects who need to access your data for tasks related to the contractual relationship between the parties, to the extent strictly necessary to fulfill these tasks (examples include credit institutions and shipping agencies);
• To our consultants and/or professionals, to the extent strictly necessary to fulfill their tasks at our or their Organization, prior agreement through a letter of assignment sent by our Company in order to impose a duty of confidentiality and security.

In any case, your data may only be disclosed to operators appointed to the execution of acts aimed at fulfilling relationships with the data subjects.

Data dissemination – Your personal data will not be disseminated indiscriminately: Our Company will not provide your data to indeterminate subjects, not even for consulting purposes.

Data confidentiality – The trust of all our customers who consent to our privacy policy is extremely important to our Company. Therefore, our Company undertakes not to sell, rent or lease your personal information to any third party.

Rights described in articles 7 of Legislative Decree 196/2003 and 15 GDPR – Pursuant to article 15 GDPR you are entitled to obtain confirmation of the existence of your personal data at our Company. This right applies also to data that haven’t been registered yet and you are entitled to be informed about them in a comprehensible form. You have the right to obtain information on:
1. The source of the personal data;
2. The purposes and methods of data processing;
3. The categories of personal data;
4. The data retention periods;
5. The logic applied to the processing, if the latter is carried out with the help of electronic means;
6. The identity of the Data Controller, of data supervisors and of the designated supervisor for data protection;
7. The entities or categories of entities to whom or which the personal data may be communicated, or that have access to them in their capacity as designated local representatives or data processors.
As data subject, you also have right to obtain:
1. Updating, rectification or, if interested therein, integration of your data;
2. Erasure, anonymization or blocking of data processed in violation of law, including data that do not need to be retained to fulfill the purposes for which they were collected or subsequently processed;
3. Certification that the parties to which the data have been transferred or disseminated have been notified of the operations specified in points a) and b), also regarding their content, unless this specification results impossible to achieve or involves a manifestly disproportionate effort compared with the right that is to be protected.
4. The right to data portability does not apply to the context in which the Author, as delegated Data Controller, processes personal data.
5. For data requiring your explicit consent, you have the right to withdraw this at any time. In such cases, the Data Controller is required to immediately delete any personal data based on your consent.
You are entitled to fully or partially object to the processing of your personal data:
1. On legitimate reasons, even if said data are processed in a way which is pertinent to the purpose of their collection;
2. In case you don’t want them to be used to fulfill marketing purposes, such as direct selling, sending of advertising material, market or commercial communication surveys.
To exercise such rights, you can contact our Data Controller:
• at info@pat.it;
• by calling the phone number +39 0423/600531;
• by sending a letter to our company PAT s.r.l. Our address is via San Gaetano n. 113, 31044 Montebelluna (TV).
You will receive a reply within 30 days of receipt of your formal request.
Should you experience a personal data breach, you have the right to lodge a complaint with a Data Protection Authority.

Identity of the Data Controller and, if designated, of the local data supervisor and representative.
Data controller – The Author of the present text: Pat – registered office in Via San Gaetano, 113, 31044, Montebelluna (TV). Tel: (+39) 0423 600 531; email: info@pat.eu.

Data Protection Officer – The Data Protection Officer is Mario Brocca, who can be contacted at +39 0371/5943191 and by email: dpo@zucchetti.it

Data supervisors and representatives – External companies that need access to your personal data in order to fulfill contractual agreements with our Company.
You can request the identity of the present and future designated data supervisors and representatives directly to the Data Controller by sending a letter to the above-mentioned address.
Notice is hereby given that the Author only, as Data Controller, shall handle the requests sent by interested parties. This task shall not be carried out by the above-mentioned data supervisors and representatives (ref. article 7 of Legislative Decree 196/03).

Designated local representatives – Please note that our Company, in accordance with art. 4 paragraph 1 point 17 GDPR, has not designated any local representative to apply the provisions regulating the processing of personal data.

Data not requiring the explicit consent of the data subject in order to be processed – Please note that the Author shall be entitled to process your personal data in case of necessity, even without your explicit consent, in order to:
• Fulfill legal obligations, regulations or Community legislation;
• Fulfill contractual obligations or specific requests before the conclusion of the contract signed between you and our Company.
Furthermore, your explicit consent is not required when the processing of your data:
1) Refers to data that can be found in public registers, lists or documents accessible to anyone, always in accordance with the limitations and conditions about data accessibility and publication established by the law, regulations or community legislation. Data related to economic activities must be processed in compliance with current regulations on corporate confidentiality and industrial secret;
2) Is necessary in order to safeguard a third party’s life or physical integrity. In this case, the data processor is required to inform the data subject that his/her personal data are being or have been processed. This requirement can also be fulfilled after the processing of said personal data, but without delay. Should such be the case, the consent must be expressed after the data subject has been informed.
3) Is necessary in order to conduct defensive investigations pursuant to the law 397/00, as well as to exercise or defend legal claims. In the above-mentioned case data can be processed exclusively for these purposes and for the period strictly necessary to fulfill them, in compliance with current regulations on corporate confidentiality and industrial secret;
4) Is necessary, as indicated by the Data Protection Authority in accordance with the principles defined by the Law, in order to pursue a legitimate interest claimed by the Data Controller or another third recipient of the data. Hereby are included the activities of bank groups and other affiliated or controlled companies, unless they violate the subject’s fundamental rights and freedoms, dignity or legitimate interests.