SICAP S.r.l. (C.F. / P.IVA. (Tax Code / VAT Reg. No) 01537730440), with registered office at via S. Crispino 37, 63821 Porto Sant’Elpidio (FM), through its pro tempore legal representative, as Data Controller of the personal data of its customers, suppliers and site users, hereby informs you, pursuant to EU Regulation 679/2016 (GDPR) and the current Italian legislation on personal data protection, that your data will be processed in the following manner and for the following purposes.
1. Purpose of the contract
2. Legal purposes and basis of data processing
Your personal data may be processed for the following legal purposes and bases:
a) to enter into the contract with the Data Controller and manage the related relationships in the pre-contractual and contractual phases;
b) for the fulfilment of legal, administrative, tax and accounting obligations;
(the legal basis of processing for the purposes referred to in a) and b) above is the performance of the contract or pre-contractual measures and the fulfilment of legal obligations binding on the Data Controller under Art. 6 (1) b) and c) of the GDPR).
c) direct marketing to customers, through commercial and promotional communications to the e-mail address provided by the data subject, about products / services similar to those already provided (soft spam), by virtue of a previous commercial relationship, unless the data subject has invoked its right of opposition (the legal basis of the processing in the case of soft spam is the pursuit of a legitimate interest of the Data Controller pursuant to Art.6 (1 f) of the GDPR);
d) direct marketing, towards prospects, through commercial and promotional communications relating to the products / services of the Data Controller, through automated communication channels (e.g. sms, e-mail, app notifications) and through traditional channels (calls using operators, postal services for catalogues) (the legal basis of the processing is the consent of the data subject pursuant to Art.6 a) of the GDPR);
e) for subscription to the newsletter service via web form or by completion of the customer form distributed at our stores (the legal basis for the processing is the consent of the data subject pursuant to Art. 6 a) of the GDPR);
f) to provide assistance and / or information to data subjects, respond to communications received at the addresses on the site and / or in the dedicated site chat (the legal basis of processing is the performance of the contract or of pre-contractual measures pursuant to Art.6 (1) b) of the GDPR).
3. Processing methods
The data will be processed electronically and on paper, by means of the following operations: data collection, registration, organization, retention, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction.
The data will be processed by persons authorized to do so.
4. Data retention
For the purposes referred to a) and b) above, your personal data will be retained for the time necessary to fulfil the purposes indicated above. Furthermore, processed personal data may also be retained beyond the end of the contract for a period compatible with any requirements connected to subsequent events and / or facts and / or rights. Therefore, under the current provisions of the law, your data will be kept for 10 years from the end of the contract, unless events that interrupt the limitation period (Article 2946 et seq., Italian Civil Code).
For the purposes of direct marketing referred to in c) and d) above, personal data will be retained until it no longer needs to be processed for the purpose of collection and, in all cases, no later than 24 months from their acquisition.
For the purposes of e) above, until the right of revocation is exercised.
For the purposes of f) above, for as long as necessary to process the information request.
5. Recipients of data processing
Your data may be made accessible to authorized data processors or to external managers appointed in writing by the Data Controller.
The data may be communicated in fulfilment of legal obligations or for proper performance of the contractual relationship, for example, to social security, welfare and insurance bodies, trade associations, tax and employment offices, other group companies, legal, commercial, tax and auditing companies, court authorities, banks and credit institutions.
6. Transfer of data abroad
The Data Controller, in accordance with the above purposes, does not transfer your data to non-EU third countries or to international organizations. If technical and / or operational reasons or the performance of the contract require the use of parties based outside the European Union, we hereby inform you that the data will be transferred outside the EU pursuant to the applicable legal provisions, i.e. in accordance with an adequacy decision by the European Commission, or, in the absence of the latter, on the basis of the adequate guarantees provided pursuant to Articles 46 or 47 of the GDPR (e.g. signing of the "standard clauses” on data protection adopted by the European Commission), or if there is a waiver pursuant to Art. 49 of the GDPR.
7. Nature of the provision
The provision of data is mandatory for all legal and contractual obligations and, therefore, any refusal to provide data, in whole or in part, means that the company is unable to fulfil its contractual relationship in all its phases with the data subject.
The communication of data for direct marketing purposes is optional; you can therefore decide not to provide any data or to exercise, with reference to the purpose, including at a later date, your right of objection pursuant to Art. 21 of the GDPR as set out in paragraph 9 below.
In this case, your personal data will no longer be used for direct marketing but you will still be entitled to the services provided under the contract with the Data Controller in all its phases.
If the processing of your data is based on consent, the provision of your data is optional and you can revoke consent at any time, as explained in paragraph 9 below.
8. Rights of the data subject
Please note that as a data subject you can exercise the following rights:
- to access your personal data to obtain evidence of the purposes pursued by the Data Controller, the categories of data involved, the recipients to whom your data may be communicated, the applicable retention period, the existence of automated decision-making processes, including profiling and, at least in such cases, significant information on the IT methods used, as well as the importance and possible consequences for the data subject, where not already indicated in the text of this information notice;
- to obtain modification and / or integration of your personal data if you believe that they are inaccurate or incomplete;
- to obtain, in the cases provided for by law, erasure of the data;
- to obtain limitation of the processing or to object to it, when admitted on the basis of the legal provisions applicable to the specific case;
- in the cases provided for by law, to request the portability of the data you have provided to the Data Controller, i.e. to receive them in a structured format, commonly used and readable by an automatic device and also to request that the data be transmitted to another controller, if technically feasible;
- to lodge a complaint with the supervisory authority (Article 77 of the GDPR);
In particular, data subjects have the following rights: Art. 15 - “Right of access by the data subject”, 16 - “Right to rectification”, 17 - “Right to erasure”, 18 – “Right to restriction of processing”, 19 - “Notification obligation regarding rectification or erasure of personal data or restriction of processing”, 20 – “Right to data portability”, 21 – “Right to object”, 22 - “Automated individual decision-making, including profiling” of the GDPR within the limits and under the conditions provided for by 'art. 12 GDPR.
In general, please note that where personal data is processed on the legal basis of consent, this may be revoked.
9. How to exercise your rights
To exercise your rights, you can contact the Data Controller by sending a written communication to company headquarters: SICAP SRL, via S. Crispino 37, 63821 Porto Sant’Elpidio (FM) or you can send an email to: email@example.com
The Data Controller will send the data subject the requested information without undue delay and, in any case, within one month of receipt of the request. Where complexity and number of requests require it, this period can be extended, if necessary, by two months.
If it is not possible to provide the information within one month, the Data Controller shall inform the data subject within one month of receipt of the request.