EXTENDED INFORMATION NOTICE PURSUANT TO ART. 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER THE GDPR)
The data controller hereby provides the Information Notice pursuant to Articles 12, 13 and, where applicable, 14 of the GDPR concerning the processing of personal data provided by the Customer/interested party by completing and signing the Contract in order to purchase the products/services offered for sale by the data controller itself, by voluntarily uploading personal data onto this website (in particular by filling in forms) or by simply browsing it.
- Data controller and contact details
The data controller is BCM CONSULTING SRL – P.IVA: 02926470986 – E-mail:info@alessandrogiglio.com
- Principles applicable to processing
In accordance with the requirements of the GDPR, the data controller constantly endeavours to ensure that personal data are:
Processed in a lawful, fair and transparent manner.
Collected for specified, explicit and legitimate purposes, and subsequently processed in a way that is not incompatible with those purposes.
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Accurate and, where necessary, kept up to date.
Kept for a period of time not exceeding the fulfilment of the purposes for which they are processed. Processed, using appropriate technical and organisational measures, in such a way as to ensure their security.
Processed, if by virtue of consent, by a decision freely made by the Client/Interested party, on the basis of a request made in a clearly distinguishable manner from the rest, in a comprehensible and easily accessible form, using simple and clear language.
The data controller shall take appropriate technical and organisational measures to ensure the protection of personal data by design and to ensure that only the data necessary for each specific processing purpose are processed by default.
The data controller collects and takes into the utmost consideration indications, remarks and opinions of the Client/Interested person transmitted to the above-mentioned addresses, in order to implement a dynamic privacy management system that ensures effective protection of persons, with regard to the processing of their data.
This Information Notice may be subject to change, in line with the evolution of the reference legislation and of the technical and organisational measures adopted by the data controller; the Customer/concerned party is, therefore, requested to periodically visit this section of the Website, in order to view the updates and the Information Notice in the text in force from time to time.
- Methods of personal data processing
Personal data is processed manually and by electronic means, with logic strictly related to the purposes indicated below and, in any case, in such a way as to guarantee the security and confidentiality of the data.
- Purposes of personal data processing
(4a) Purposes for which data processing is necessary
The personal data provided by the Customer/Interested Party are mainly processed for the performance of the Contract and the management of the credit and, more generally, of the relationship arising from the Contract itself.
The provision of data in the Contract or later, during the course of the contractual relationship, for the processing purposes in question is compulsory; therefore, failure to provide such data, in part or inexactly, makes it impossible to enter into and/or execute the Contract and, for the Customer/interested party, to take advantage of the products/services offered by the data controller, potentially exposing the Customer/interested party to liability for breach of contract.
The personal data provided by the Customer/Subject may also be processed if this is necessary to comply with a legal obligation to which the Controller is subject, to safeguard the vital interests of the Customer/Subject or of another natural person, to perform a task carried out in the public interest or in the exercise of public powers vested in the Controller, or to pursue the legitimate interests of the Controller or of third parties, provided that the interests or fundamental rights and freedoms of the Customer/Subject do not prevail; also in these cases, the provision of the data is mandatory and, therefore, the non, partial or inaccurate provision of the data may expose the Client/Party to possible liabilities and sanctions provided for by the legal system.
(4b) Further processing purposes following specific and express consent of the Client/Interested Party
In addition to the purposes of the processing described above, the personal data provided/acquired may be processed, subject to the consent of the Customer/interested party, to be expressed by checking the <> box on the Contract or on the Site (or using other social or web applications of the data controller), also for the purpose of carrying out market surveys and for commercial and promotional communications, by telephone (also using the mobile phone number provided) and automated contact systems (e-mail, sms, mms, fax, etc.), on products/services of the data controller or companies of the Group to which the data controller may belong. ), on products/services of the data controller or of companies of the Group to which the data controller may belong.
Consent for the purposes of the processing referred to in this point (4b) is optional; therefore, following any refusal, the data will be processed only for the purposes indicated in point (4a) above, except as specified below with reference to the legitimate interests of the data controller or of third parties.
- Categories of personal data processed
The data controller processes mainly identification/contact data (name, surname, addresses, type and number of identification documents, telephone numbers, e-mail addresses, tax/invoicing data, except for others) and, if commercial transactions are envisaged, financial data (of a banking nature, in particular current account identification, credit card numbers, except for others related to the aforesaid commercial transactions).
The processing that the data controller carries out, both for the purpose of executing the Contract and by virtue of the express consent of the Customer/involved party, does not generally concern special categories of personal data, known as sensitive data (revealing racial or ethnic origin, political opinions, religious beliefs, state of health or sexual orientation, etc.), nor does it concern genetic and biometric data or so-called judicial data (relating to criminal convictions and offences).
However, it cannot be ruled out that the data controller, in order to perform its obligations under the Contract, must store and/or needs to process sensitive, genetic and biometric or judicial data, of the Customer or of third parties, which the Customer or the data subject holds as data controller; in this case, the processing by the data controller takes place by virtue of, under the conditions and within the limits set forth in the appointment of the data controller as data processor by the Customer or the data subject.
The data controller also processes, in its capacity as data controller with reference to the Site, and, potentially, as data processor appointed for this purpose (under the terms set out above) by the Customer/interested party, the so-called navigation data. The computer systems and software procedures used to operate the websites acquire, during their normal operation, some personal data, the transmission of which is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated with identified subjects, but which, by its very nature, could make it possible to identify the person concerned. This category of information includes geolocation data, IP addresses, browser type, operating system, domain name and addresses of websites accessed or exited from, information on the pages visited by users within the site, access time, length of stay on the individual page, internal path analysis and other parameters relating to the user’s operating system and IT environment. This is information that, by its very nature, allows users to be identified through processing and associations, including with data held by third parties.
The Site may also use cookies, both session cookies (which are not stored on the user’s computer and disappear when the browser is closed) and persistent cookies, to transmit information of a personal nature, or in any case systems for tracing the interested parties.
- Source of personal data
The personal data that the data controller processes are collected directly by the data controller from the Customer/ data subject at the time of, and during, the latter’s browsing of the Site (or using other social or web applications of the data controller), or, also through its sales staff, at the time of, or subsequent to, the signing of the Contract, during the performance of the same, or from public sources.
As specified above, the data controller, as the data processor entrusted with this task, in order to perform the obligations arising from the Contract, may store and/or process data, in particular navigation data, potentially also sensitive, genetic and biometric or judicial data, of third parties, which the Customer/interested party has in its capacity as data controller, acquired, with the consent of said third parties, at the time of, and during, the navigation of said third parties on the Site (or using other social or web applications referable to the data controller).
- Legitimate interests
The legitimate interests of the data controller or of third parties may constitute a valid legal basis for the processing, provided that they do not override the interests or fundamental rights and freedoms of the data subject. In general, such legitimate interests may exist where there is a relevant and appropriate relationship between the data controller and the data subject, for example where the data subject is a customer of the data controller. In particular, the legitimate interests of the data controller include the processing of personal data of the customer/ data subject: for fraud prevention purposes, for direct marketing purposes, to ensure the free circulation of such data within the business group to which the data controller may belong, or relating to traffic, in order to ensure network and information security, i.e. the ability of a network or system to withstand unforeseen events or unlawful acts that may compromise the availability, authenticity, integrity and confidentiality of data.
- Circulation of personal data
(8a) Circulation of personal data – categories of recipients
In addition to employees and collaborators in various capacities of the data controller (who are authorised by the data controller to process the data by virtue of appropriate written operating instructions, in order to ensure data confidentiality and security), certain processing operations may also be carried out by third parties, to whom the data controller entrusts certain activities, or parts thereof, functional to the purposes referred to in point (4a), therefore in performance of contractual or legal obligations, including, however, inevitably by way of non-exhaustive list commercial and/or technical partners; companies that provide banking and financial services; companies that provide document filing services; debt collection companies; auditing and financial statement certification companies; rating companies; parties that provide the data controller with professional assistance and consultancy; companies that provide customer care; factoring companies, credit securitisation companies or otherwise assignees of credits; companies in the Group to which the data controller may belong; parties that provide commercial information; IT service companies. The subjects belonging to the aforesaid categories process personal data in their capacity as autonomous data controllers, or as data processors, with reference to specific processing operations that fall within the contractual services that the subjects themselves perform for/on behalf of the data controller; to the data processors the data controller issues adequate written operating instructions, with particular reference to the adoption of minimum security measures, in order to be able to guarantee data confidentiality and security.
Some processing operations may be carried out by third parties, to whom the data controller entrusts certain activities, or part of them, also in relation to the purposes referred to in point (4b), including, however, inevitably by way of non-exhaustive list: business and/or technical partners; companies that provide marketing services on an institutional basis; advertising agencies; parties that provide assistance and consultancy with reference to competitions and prize-winning operations. The subjects belonging to the aforesaid categories process personal data in their capacity as autonomous data controllers, or as data processors, with reference to specific processing operations that are part of the contractual services that the subjects themselves perform for/on behalf of the data controller; to the data processors the data controller issues adequate written operating instructions, with particular reference to the adoption of minimum security measures, in order to be able to guarantee data confidentiality and security.
A list, subject to periodical update, of the data processors with whom the data controller has dealings is available on written request to be sent to the data controller’s head office.
Personal data may also be communicated, upon request, to the competent authorities, in fulfilment of obligations deriving from mandatory provisions of law.
(8b) Transfer of personal data to third countries
The personal data of the Client/Interested Party may also be transferred abroad, either to countries within the European Union or to countries outside the European Union and, in the latter case, either on the basis of an adequacy decision, or within the scope of and with the adequate safeguards provided for by the GDPR (therefore, in particular, in the presence of standard contractual clauses on data protection approved by the European Commission), or, outside the aforementioned hypotheses when one or more of the exceptions provided for by the GDPR apply (in particular, by virtue of the express consent of the Client/Preferred Client, or for the performance of a contract concluded between the data controller and another natural or legal person for the benefit of the Client/Preferred Client, in particular for the performance of activities entrusted to it by the data controller for the performance of the Contract concluded with the Client/Preferred Client). In the event of transfers of data to countries outside the European Union, the Client/Party is allowed, upon written request to be sent to the data controller’s head office, to know the adequate guarantees, or rather the exceptions, that legitimise cross-border processing. It is understood, in the event of transfer of data to countries outside the European Union, that for any request concerning the data, also for the exercise of the rights recognised by the GDPR to the Customer/Interested Party, the latter may always validly apply to the data controller.
- Criteria for determining the period of retention of personal data
For the purposes referred to in point (4a) above, the retention period of the personal data released by the Customer/interested party, and the resulting potential processing thereof, coincides with the period of prescription of the rights/duties (legal, fiscal, etc.) arising from the Contract: basically 10 years, therefore, except for the occurrence of interruptive events that could, in fact, prolong the said period.
For the purposes referred to in point (4b) above, the retention period of the data released by the Client/Preferred Customer, and the consequent potential processing thereof, shall end with the revocation of the consent previously given by the Client/Preferred Customer or, failing this, in any case one year after the termination of any relationship between the data controller and the Client/Preferred Customer.
- Rights of the Customer/Interested Party
The data controller acknowledges – and facilitates the exercise, by the Client/Subject, of – all the rights provided for by the GDPR, in particular the right to request access to his/her personal data and to take a copy of it (art. 15 GDPR), to rectification (art. 16 GDPR) and deletion of the same (art. 17 GDPR), to limitation of the processing concerning him/her (art. 18 GDPR), to the portability of the data (Art. 20 GDPR, if the conditions are met) and to oppose the processing of his or her data (Art. 21 and 22 GDPR, for the hypotheses mentioned therein and, in particular, to processing for marketing purposes or which results in automated decision-making, including profiling, which produces legal effects concerning him or her, if the conditions are met).
The data controller also grants the Client/Party, where the processing is based on consent, the right to withdraw said consent at any time, without prejudice to the lawfulness of the processing based on the consent given before the withdrawal. In order to do so, the Customer/Subject may unsubscribe at any time on the Site (or on other social or web applications of the data controller) or by using the appropriate link at the bottom of any commercial communication received, or by contacting the data controller at the contact details given above.
The data controller also informs the Customer/Interested Party of the right to lodge a complaint with the Italian Data Protection Authority, as a supervisory authority operating in Italy, and to lodge a judicial appeal, both against a decision of the Data Protection Authority and against the data controller itself and/or a data processor.
- Security of systems and personal data
Taking into account the state of the art and the cost of implementation, as well as the nature, object, context and purposes of the processing, and the risk, in terms of probability and severity, to the rights and freedoms of natural persons, the controller shall implement technical and organisational measures deemed appropriate to ensure a level of security appropriate to the risk, in particular by ensuring on a permanent basis, the confidentiality, integrity, availability and resilience of the processing systems and services (including through the encryption of personal data, where necessary) and the ability to restore data availability in a timely manner in the event of a physical or technical incident, and by adopting internal procedures aimed at regularly testing, verifying and evaluating the effectiveness of the technical and organisational measures employed.
In assessing the adequate level of security, account shall be taken of the risks presented by the processing which arise, in particular, from the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidentally or unlawfully.
The controller shall ensure that any person acting under its authority and having access to personal data does not process such data unless instructed to do so by the controller.
Having said this, the customer/concerned party acknowledges and accepts that no security system guarantees, in terms of certainty, absolute protection; therefore, the data controller shall not be liable for the acts or deeds of third parties who, despite the appropriate precautions taken, gain access to the systems without due authorisation.
- Automated decision-making processes, including profiling
The data controller may carry out automated decision-making processes, including profiling, in relation to the purposes set out in point (4b) above, to optimise the navigability of the Site (or the usability of other social or web applications of the data controller) and to improve the purchasing experience, without prejudice to what has been specified above with regard to the Customer’s/ data subject’s rights to object and withdraw consent.
Profiling shall mean any form of automated processing of personal data aimed at assessing certain aspects relating to a natural person, in particular to analyse or predict aspects concerning, for example, the personal preferences, interests or location of that person, including for the purpose of creating profiles, i.e. homogeneous groups of subjects by characteristics, interests or behaviour.
The data controller shall not carry out any automated processing that produces legal effects concerning the Client/Party or that significantly affects him/her in a similar way, unless this is necessary for the conclusion or execution of the Contract, is authorised by law or is based on the express consent of the Client/Party, in any case always recognising the Client/Party’s right to obtain human intervention, to express his/her opinion and to contest the decision.