1. Introduction

negg® Group S.r.l. Socio unico (hereafter also ‘negg®’) is committed to protect your personal data and to respect your privacy. negg® collects and further processes personal data pursuant to the Italian Legislative Decree 196/2003 Code regarding the protection of personal data (“Privacy Code”) and subsequent amendments and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the Privacy Code and the GDPR are collectively referred also to as “Applicable Regulations”).
This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights.
In accordance with the Applicable Regulations, the Data Controller is negg® Group S.r.l. Socio unico having its registered office in Rome, Piazza del Popolo, No. 18. For any information concerning the processing of personal data by the Data Controller, including a request for the list of data processor personnel working on behalf of the Data Controller, please contact privacy@negg.group.
negg® confirms that the processing of personal data is based on the principles of legality, fairness, transparency, purpose limitation and retention, data minimization, accuracy, integrity and confidentiality. Therefore, personal data will be processed in accordance with the legislative provisions of the Applicable Regulations and the confidentiality obligations set out therein.

2. Definitions

“Personal Data” refers to any information concerning an identified or identifiable physical person with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements pertaining their physical, economic, cultural or social identity.
“Particular Data” refers to personal data sufficient to reveal the racial and ethnic origin, religious or philosophical convictions, or membership of Trade Unions, as well as genetic and biometric data, data related to health or sex life or to the sexual orientation of the person.
“Judicial Data” refers to personal data relating to criminal convictions and crimes or related security measures.
“Data Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4, No. 2 of the Regulation).

3. Why, how and on what Legal Ground(S) do we process your personal data?

Personal data voluntarily provided will be processed by the Data Controller for the following purposes:
(i) performing the activities that negg® has been engaged to conduct;
(ii) fulfilling legal obligations generally imposed on negg®;
(iii) administrative-accounting. For the purposes of the application of the provisions regarding the protection of personal data, the processing performed for administrative-accounting purposes are those related to the performance of organizational, administrative, financial and accounting activities, regardless of the nature of the data processed. In particular, these objectives are pursued by the internal organizational activities, those functional to the fulfilment of contractual and pre-contractual obligations, the management of the employment relationship in all its phases, bookkeeping and the application of the rules on tax matters, Trade Unions, social security, health, hygiene and safety at work.
(iv) Information and promotions. The use of e-mail coordinates provided by the customer in the context of the sale of a product or service for direct sales of its products and services or collected through the “Contact us” area of the institutional website negg.group, is permitted for the purpose of sending information and newsletters. The party concerned, at the time of collection and at the time of sending each communication, is informed of the possibility to object at any time to the processing, easily and free of charge.
(v) Security, pursuant to Legislative Decree 81/2008. With particular reference to identification data freely given by the guest/visitor to our offices (name, surname, institution or company), the processing has the exclusive purpose of ensuring compliance with corporate security procedures formally applied, in compliance with the applicable regulations (i.e annotation in the register/visitor database, assignment of temporary identification badge, applications of legal obligations in the field of safety at work).
As the Personal Data has to be processed for the purposes indicated under points (i) and (ii), (iii) and (v) above so that negg® may perform its contractual and/or pre-contractual obligations and fulfil specific legal obligations, respectively, the Data Subject’s consent is not required for those purposes.
The personal data of the self-registered individuals is processed based on their consent after having read, understood and agreed to this privacy statement. Consent can be withdrawn at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The processing is automated and performed by means of computer/machine.
Your personal data will not be used for an automated decision-making including profiling.

4. Provision of personal data

Personal Data must be provided so as to allow negg® to conduct the activities referred to in points (i) and (ii) paragraph No. 3. Therefore, if a Data Subject does not provide the relevant Personal Data, negg® will be unable to properly perform the commercial activities it has been engaged to conduct and to fulfil its specific obligations provided under the law.
The provision of Personal Data for the purposes provided for under point (iv) of paragraph 5 is, by contrast, optional. Lack of consent from a Data Subject would, however, means negg® is unable to send the Data Subject updates or material containing information of a commercial nature and information relating to negg®’s activities.
The processing will be carried out in both an automated and manual manner, with methods and tools aimed at safeguarding maximum security and confidentiality, by persons appointed as responsible for and in charge of processing in accordance with the applicable legislation.
The data will be stored for a period not exceeding the purposes for which such data were collected and subsequently processed, and in any case for the duration of the contractual or commercial relationship.
It is understood, however, that, once the contractual relationship with negg®, and with the purpose for which the Data has been processed, has come to an end, the Data Controller will, in any event, be required and/or entitled to continue to store Personal Data, in whole or in part, for certain purposes, as expressly required by specific provisions of the law (such as the obligation to keep accounting records for a period of 10 years provided for under Article 2220 of the Italian Civil Code) or to assert or defend a right in court (for example, in the event of possible disputes in respect of the activities conducted by negg®).

5. Nature of conferral and refusal

With regard to the data that we are obliged to obtain in order to fulfil the obligations arising from existing contracts, and the obligations demanded by laws, regulations, community legislation, or provisions issued by the Authorities legitimated to do so by law and by supervising and controlling entities, failure to provide such data will make it impossible to establish or continue the relationship, within the limits in which such data are necessary for the execution of the same. The provision of data to allow the Data Controller to send commercial communications is optional; the party concerned can object to the treatment at any time by exercising the rights provided for under the Applicable Regulations in the forms and methods indicated herein.
The Data Controller also states that any non-communication, or incorrect communication, of one of the mandatory information areas, will have the following consequences:
– the impossibility for the Data Controller to guarantee the adequacy of the processing itself to the contractual agreements for which it is performed;
- the possible lack of correspondence of the results of the processing to the obligations imposed by the fiscal, administrative and civil law to which it is addressed.

6. Which personal data do we collect and further process?

In order to carry out the above-mentioned activities negg® collects the following categories of personal data provided voluntarily by the Data Subject:
Personal information: first, middle and last name(s), date of birth, additional personal information (for example but not limited to: address, phone or mobile number, e-mail address); Administrative data: (for example but not limited to VAT number, tax code, bank account details).

7. How long do we keep your personal data?

negg® only keeps your personal data for the time necessary to fulfil the purpose of collection.

8. How do we protect and safeguard your personal data?

All personal data in electronic format (databases) are stored on secure servers.
In compliance with the provisions of Article 5 of the GDPR, Personal Data processed by negg® is:
(i) processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
(ii) collected and registered for specified, explicit and legitimate purposes, and further processed in a manner that is compatible with those purposes;
(iii) adequate, relevant and limited to what is necessary to the purposes for which they are processed;
(iv) accurate and, where necessary, kept up to date;
(v) processed in a manner that ensures appropriate security;
(vi) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed.

Personal Data will be processed by negg® by automated and non-automated means. Namely, in order to protect your personal data, negg® has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of the processing operation.
Specific security measures are adopted so as to prevent data loss or data usage in an unlawful or improper manner, as well as to prevent unauthorised access thereto.

9. Who has access to your personal data and to whom is it disclosed?

Access to your personal data is provided to negg®’s staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
Personal Data may be transferred to European Union Member States and third countries that are not part of the European Union for the purposes indicated in paragraph 3 above. If Personal Data is transferred outside the European Union without any decision having been taken by the European Commission on the adequacy of the protections provided in relation thereto, the applicable legislation on the transfer of Personal Data to third countries who are not part of the EU will still be observed.
Personal Data is not subject to public disclosure.
The information we collect will not be given to any third party, except to the extent and for the purpose we may be required to do so by law. The data object of the processing will not be divulged unless explicit authorization of the Data Subject has been granted after appropriate information. The data may instead be communicated to companies contractually linked to the Data Controller. The data may be disclosed to third parties belonging to the following categories:
– subjects that provide services for the management of the information system used by the Data Controller and the telecommunications networks, and that are responsible for the maintenance of the technological areas (including e-mail and the newsletter service);
- individuals and entities that collaborate with the Data Controller to carry out training courses for example but not limited to: teachers, Interprofessional Funds;
– professionals, firms or companies in the field of assistance and consultancy;
– insurance, banking and financial companies;
– individuals that perform control, revision and certification of the activities carried out by the Data Controller;
– competent authorities for the fulfilment of legal obligations and/or provisions of public entities, upon their request.
The identification data processed in compliance with corporate security procedures are not subject to communication, without prejudice to express and specific requests on the part of the competent judicial and investigative Authorities.
The individuals belonging to the aforesaid categories perform the function of Data Processing Manager or operate in complete autonomy as separate Data Controllers. The list of data processor personnel and shared data controllers is constantly updated and available on request from the Data Controller’s headquarters.
Any further communication or divulgation will take place only with the explicit consent of the party concerned.
Moreover, during the ordinary processing activities, they will be able to access personal and identifying data and therefore become aware of the subjects expressly designated by the writer as responsible and/or in charge of processing, authorized according to their respective profiles.

10. What are your rights and how can you exercise them?

The Users, as data subject, have the rights granted by the GDPR. In particular, you may exercise, pursuant to articles 15 to 22 of the GDPR, the right to: a) request from the Data Controller access to the personal data, obtain information about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated and, where possible, the storage period; b) request the rectification or erasure of the data and the restriction of processing; c) exercise the right to data portability, object to the processing, object to automated decision-making process concerning natural persons, including profiling; d) withdraw consent at any time, without prejudice to the lawfulness of the processing based on the consent given before the revocation; e) to lodge a complaint with the Data Protection Authority (email protocollo@gpdp.it. pec. protocollo@pec.gpdp.it). As Data Subject you may exercise your rights at any time by sending a written request to the Data Controller at the following addresses: • by e-mail, writing to privacy@negg.group • by ordinary mail, at the address Piazza del Popolo, 18, 00187 Roma.

11. Contact Information

The Data Controller: If you would like to exercise your rights under the GDPR, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact negg® at Piazza del Popolo n. 18, 00187 Rome, or at privacy@negg.group.

12. Career and job opportunities

Whenever a resume is uploaded on the negg® website in order to reply to a job offer or send a spontaneous application and does not include an express consent to the processing of the data contained therein, such consent will be explicitly requested in writing. If no answer is received within 14 days of the request, the resume will be permanently erased.

13. Calls Recording Policy

In order to maintain high standards, we record inbound and outbound telephone calls and retain the collected data for a limited period of time.

Purposes for the processing

Calls are recorded for the purpose of: providing technical assistance; investigating a complaint; verifying compliance with regulatory procedures; improving call handling standards; using the data collected to improve service; and increasing the training of our staff. Any interest in collecting and/or recording special data, including judicial data, is excluded, so please do not provide such information during phone calls with operators. The data collected may also be processed in aggregate and anonymous form for statistical purposes.

Procedures for managing call recordings

Conversations will be recorded with computer tools and with the use of security measures to ensure the confidentiality of user as well as to prevent undue access to third parties or unauthorized personnel. During the conversation, the user will be notified in advance of the start of the recording by means of a brief information note rendered in audio format, which will expressly refer to this detailed information notice published on the website. The continuation of the call following the user's listening to the audio informative note implies the release of consent to the processing of personal data provided to the operator. The personal data provided, if necessary for the above purposes, may be disclosed:
a) to the subjects to whom the communication of the data must be made in fulfillment of an obligation provided for by law or a Regulation or to comply with an order of the Judicial Authority;
b) to persons designated by the Data Controller, in the capacity of Data Processors, or to persons authorized to process personal data who operate under the direct Authority of the Data Controller or the Data Processor;
c) to other third parties, in the cases expressly provided for by law, or again if the communication is necessary for the protection of a right of the Data Controller in court, in compliance with the provisions in force on the protection of personal data.

Disclosure of data

The data provided during the calls will not be disclosed except to comply with obligations expressly provided for by law. The transfer of said information to third Countries is not envisaged. The recordings may only be listened to by authorized personnel and the personal data collected will be processed exclusively by the persons in charge at the indication or assignment given by the Data Controller.

Retention of call recordings

All call recordings are automatically stored on the servers for up to 10 years. However, if there is a justified need to retain a specific record for a longer period due to a legal obligation or judicial order, this limit may be extended. Information will not be retained for longer than necessary.

14. Updating

negg® verifies regularly its own privacy policy and, where appropriate, reviews it according to regulatory, technological or organizational amendments. In the case of amendments, the new version will be published within this section of the website.