negg® S.r.l. (hereinafter negg®), based in Rome, Piazza del Popolo, No. 18, as data controller for the processing of personal data pursuant to Legislative Decree 196/2003 Code regarding the protection of personal data (“Privacy Code”) and subsequent amendments – and to EU Regulation 2016/679 – General Data Protection Regulation (“GDPR”) (hereinafter the Privacy Code and the GDPR are collectively referred to as “Applicable Regulations”) recognizes the importance of the protection of personal data and considers their protection as one of the main objectives of its business.
This document sets out the other information required to be given by law, including information on the data subject’s rights and how to exercise them.
Regulation (EU) 2016/679 on the protection of personal data lays down rules on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and safeguards individuals’ fundamental rights and freedoms, with particular regard to the data subjects’ rights to have their personal data protected.
Under Article 4, No. 1 of the Regulation, “Personal Data” means any information relating to an identified or identifiable natural person (the “Data Subject”).
Pursuant to Articles 12 et seq. of the Regulation, the Data Subject must also be made aware of the appropriate information concerning: (i) the Data Processing conducted by the Data Controller; (ii) the rights of Data Subjects. negg® confirms that the processing of personal data will be based on the principles of legality, fairness, transparency, purpose limitation and retention, data minimization, accuracy, integrity and confidentiality. Therefore, personal data will be processed in accordance with the legislative provisions of the Applicable Regulations and the confidentiality obligations set out therein.
1. Data Controller
In accordance with the Applicable Regulations, the data controller is negg® S.r.l. based in Rome, Piazza del Popolo, No. 18.
For any information concerning the processing of personal data by the Data Controller, including a request for the list of data processor personnel working on behalf of the Data Controller, please contact email@example.com.
“Personal Data” refers to any information concerning an identified or identifiable physical person with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements pertaining their physical, physiological, psychic, economic, cultural or social identity.
“Particular Data” refers to personal data sufficient to reveal the racial and ethnic origin, religious or philosophical convictions, or membership of Trade Unions, as well as genetic and biometric data, data related to health or sex life or to the sexual orientation of the person.
“Judicial Data” refers to personal data relating to criminal convictions and crimes or related security measures.
“Data Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4, No. 2 of the Regulation).
3. Types of data processed
The processing relates to personal and identification data provided voluntarily by the party concerned (for example but not limited to: name, surname, address, VAT number, tax code, phone or mobile number, e-mail address, bank account details, etc.).
4. Data Processing location
Data processing takes place at the aforementioned headquarters of the data controller, at the operational offices and at identified third parties.
5. The purposes of the processing and legal basis
Personal data voluntarily provided will be processed by the data controller for the following purposes:
(i) performing the activities that negg® has been engaged to conduct;
(ii) fulfilling legal obligations generally imposed on negg®;
(iii) administrative-accounting. For the purposes of the application of the provisions regarding the protection of personal data, the processing performed for administrative-accounting purposes are those related to the performance of organizational, administrative, financial and accounting activities, regardless of the nature of the data processed. In particular, these objectives are pursued by the internal organizational activities, those functional to the fulfilment of contractual and pre-contractual obligations, the management of the employment relationship in all its phases, bookkeeping and the application of the rules on tax matters, Trade Unions, social security, health, hygiene and safety at work.
(iv) Information and promotions. The use of e-mail coordinates provided by the customer in the context of the sale of a product or service for direct sales of its products and services or collected through the “Contact us” area of the institutional website negg.international, is permitted for the purpose of sending information and newsletters. The party concerned, at the time of collection and at the time of sending each communication, is informed of the possibility to object at any time to the processing, easily and free of charge (Article 130 paragraph 4 of Legislative Decree 196/03).
(v) Security, pursuant to Legislative Decree 81/2008. With particular reference to identification data freely given by the guest/visitor to our offices (name, surname, institution or company), the processing has the exclusive purpose of ensuring compliance with corporate security procedures formally applied, in compliance with the applicable regulations (i.e annotation in the register/visitor database, assignment of temporary identification badge, applications of legal obligations in the field of safety at work).
As the Personal Data has to be processed for the purposes indicated under points (i) and (ii), (iii) and (v) above so that negg® may perform its contractual and/or pre-contractual obligations and fulfil specific legal obligations, respectively, the Data Subject’s consent is not required for those purposes.
6. Methods for processing and storing data
In compliance with the provisions of Article 5 of the Regulation, Personal Data processed by the negg® is:
(i) processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
(ii) collected and registered for specified, explicit and legitimate purposes, and further processed in a manner that is compatible with those purposes;
(iii) adequate, relevant and limited to what is necessary to the purposes for which they are processed;
(iv) accurate and, where necessary, kept up to date;
(v) processed in a manner that ensures appropriate security;
(vi) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
Personal Data will be processed by the Data Controller by automated and non-automated means. The Personal Data will be stored electronically on secure servers located in restricted areas with limited access.
Specific security measures are adopted so as to prevent data loss or data usage in an unlawful or improper manner, as well as to prevent unauthorised access thereto.
7. Provision of personal data
Personal Data must be provided so as to allow negg® to conduct the activities referred to in points (i) and (ii) paragraph No. 5. Therefore, if a Data Subject does not provide the relevant Personal Data, negg® will be unable to properly perform the commercial activities it has been engaged to conduct and to fulfil its specific obligations provided under the law.
The provision of Personal Data for the purposes provided for under point (iv) of paragraph 5 is, by contrast, optional. Lack of consent from a Data Subject would, however, mean negg® is unable to send the Data Subject updates or material containing information of a commercial nature and information relating to negg®’s activities.
The processing will be carried out in both an automated and manual manner, with methods and tools aimed at safeguarding maximum security and confidentiality, by persons appointed as responsible for and in charge of processing in accordance with the applicable legislation.
The data will be stored for a period not exceeding the purposes for which such data were collected and subsequently processed, and in any case for the duration of the contractual or commercial relationship.
It is understood, however, that, once the contractual relationship with negg®, and with it the purpose for which the Data has been processed, has come to an end, the Data Controller will, in any event, be required and/or entitled to continue to store Personal Data, in whole or in part, for certain purposes, as expressly required by specific provisions of the law (such as the obligation to keep accounting records for a period of 10 years provided for under Article 2220 of the Italian Civil Code) or to assert or defend a right in court (for example, in the event of possible disputes in respect of the activities conducted by negg®).
8. Disclosure of personal data
The data object of the processing will not be divulged unless explicit authorization of the interested party has been granted after appropriate information. The data may instead be communicated to companies contractually linked to the Data Controller. The data may be disclosed to third parties belonging to the following categories:
– subjects that provide services for the management of the information system used by the Data Controller and the telecommunications networks, and that are responsible for the maintenance of the technological areas (including e-mail and the newsletter service);
-individuals and entities that collaborate with the Data Controller to carry out training courses for example but not limited to: teachers, Interprofessional Funds;
– professionals, firms or companies in the field of assistance and consultancy;
– insurance, banking and financial companies;
– individuals that perform control, revision and certification of the activities carried out by the Data Controller;
– competent authorities for the fulfilment of legal obligations and/or provisions of public entities, upon their request.
The identification data processed in compliance with corporate security procedures are not subject to communication, without prejudice to express and specific requests on the part of the competent judicial and investigative Authorities.
The individuals belonging to the aforesaid categories perform the function of Data Processing Manager or operate in complete autonomy as separate Data Controllers. The list of data processor personnel and shared data controllers is constantly updated and available on request from the Data Controller’s headquarters.
Any further communication or divulgation will take place only with the explicit consent of the party concerned.
Moreover, during the ordinary processing activities, they will be able to access personal and identifying data and therefore become aware of the subjects expressly designated by the writer as responsible and/or in charge of processing, authorized according to their respective profiles.
9. Public disclosure of personal data
Personal Data is not subject to public disclosure.
10. Transfer of personal data abroad
Personal Data may be transferred to European Union Member States and third countries that are not part of the European Union for the purposes indicated in paragraph 5 above. If Personal Data is transferred outside the European Union without any decision having been taken by the European Commission on the adequacy of the protections provided in relation thereto, the applicable legislation on the transfer of Personal Data to third countries who are not part of the EU will still be observed.
11. Nature of conferral and refusal
With regard to the data that we are obliged to obtain in order to fulfil the obligations arising from existing contracts, and the obligations demanded by laws, regulations, Community legislation, or provisions issued by the Authorities legitimated to do so by law and by supervising and controlling entities, failure to provide such data will make it impossible to establish or continue the relationship, within the limits in which such data are necessary for the execution of the same. The provision of data to allow the Data Controller to send commercial communications is optional; the party concerned can object to the treatment at any time by exercising the rights provided for under the Applicable Regulations in the forms and methods indicated herein.
The Data Controller also states that any non-communication, or incorrect communication, of one of the mandatory information areas, will have the following consequences:
– the impossibility for the Data Controller to guarantee the adequacy of the processing itself to the contractual agreements for which it is performed;
-the possible lack of correspondence of the results of the processing to the obligations imposed by the fiscal, administrative and civil law to which it is addressed.
12. The data subject’s rights
Data Subjects can access their Personal Data at any time for the purpose of rectifying, erasing and generally exercising any and every right to which they are expressly entitled under the applicable legislation that protects their Personal Data. More specifically, they can exercise the following rights: to obtain confirmation as to whether or not Personal Data concerning them exists and to have it disclosed in an intelligible form, to know the source, purpose and manner in which Personal Data are processed; to know the identity of the Data Controller, as well as the identity of the data processors and the parties or categories of parties to whom Personal Data can be disclosed; verify whether or not the Personal Data is accurate or request that it be completed or updated or rectified; to request that Personal Data processed in violation of the law be erased, anonymised or blocked, as well as request the restriction of processing in accordance with the law, and object, in any event, in whole or in part, for legitimate reasons, to the processing thereof; to data portability; to file a complaint, report or petition with the Data Protection Authority, in those situations in which the required conditions are met. The applicable legislation also recognises the Data Subjects’ right to object to their Personal Data being processed for the purposes stated in point (iv) of paragraph 1 of this policy, as well as the right to revoke their consent to Data Processing at any time, without prejudice, however, to the lawfulness of the manner in which the Personal Data has been processed by the Data Controller on the basis of such prior consent.
13. Notices and data subject’s exercise of their rights
For the purpose of exercising their rights provided for under paragraph 12, Data Subjects can contact at any time the internal Data Processor by email to firstname.lastname@example.org.
14. Career and job opportunities
Whenever a resume is submitted through the negg®’s website and refers to personal data sufficient to reveal the racial and ethnic origin, religious or philosophical convictions, or membership of Trade Unions, as well as genetic and biometric data, data related to health or sex life or judicial situation to sexual orientation of the person, if it is not included an express consent to the processing of such data, this consent will be request explicitly in writing. In lack of reply, within 14 days starting from the request, the data will be permanently erased.
16. Consent to the processing of personal data
I, the undersigned, having read and understood the above policy describing the processing of my personal data, give my consent to such personal data being processed for the purpose of fulfilling the objectives provided for under point (iv) of paragraph 5 of such policy, namely that of communicating information about negg® or about other activities organised by the negg®.