Privacy Policy for Customers and Potential Customers

Privacy Notice for customers and potential customers


NOTICE FOR CUSTOMERS

This privacy notice (the “Notice”) is provided in accordance with Article 13 of the European Regulation concerning the protection of natural persons with regard to the processing of personal data (hereinafter also GDPR No. 679/2016) for the clients and potential clients of SAVIO S.P.A.

The Data Controller, as defined and identified below, with this document informs you about the purposes and methods of processing your personal data and your rights as the “data subject” under the GDPR No. 679/2016 and the Privacy Code (Legislative Decree No. 196/2003).

RECIPIENTS OF THIS NOTICE

This notice is intended for the clients and potential clients of SAVIO S.P.A., and for the natural persons (administrators, legal representatives, executives, employees, and other representatives of legal entities who are clients of SAVIO S.P.A.) whose personal data the Data Controller must process in order to enter into or execute contracts with the legal entity.

KEY DEFINITIONS UNDER ARTICLE 4 OF GDPR NO. 679/16

  • Personal Data
    Any information related to an identified or identifiable natural person (“data subject”); a person is considered identifiable if they can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific elements of their physical, physiological, genetic, mental, economic, cultural, or social identity.
  • Data Processing
    Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination, or any other form of provision, comparison, or interconnection, limitation, erasure, or destruction.
  • Data Controller
    The natural or legal person, public authority, service, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; when the purposes and means of processing are determined by Union or Member State law, the Data Controller or specific criteria applicable to their designation may be established by Union or Member State law.
  • Data Processor
    The natural or legal person, public authority, service, or other body that processes personal data on behalf of the Data Controller.
  1. DATA CONTROLLER AND DATA PROCESSOR

The Data Controller is the company SAVIO S.P.A., with registered office in CHIUSA DI SAN MICHELE (TO), Via Torino Strada Statale 25 n. 25, Tax Code and VAT number 12396890019, represented by the Chief Executive Officer Moshe Nash ABRAMOV.

The updated list of all the appointed Data Processors is available at the Data Controller’s operational headquarters and will be provided upon written request directed to the contact details below.

  1. TYPES OF DATA PROCESSED

The processing of your personal data is carried out in compliance with the principles of fairness, lawfulness, and transparency.

The following common data are processed:

  • Identification data (e.g., name, surname, date of birth, address and city of residence, phone number, email and other contact details, tax code, VAT number, possible identification number) necessary for the overall management of the contractual relationship or aimed at establishing the same;
  • Identification and contact data (e.g., name, surname, date of birth, phone number, email, and other contact details, tax code, possible identification number) of natural persons (legal representative, administrators, executives, employees, collaborators, company representatives, and/or other legal entities) with whom the Data Controller, the Processor, and/or the persons authorized by them have direct contacts for the management of the contractual relationship or for establishing the same;
  • Other personal data that may be necessary for the stipulation and execution of the contract and for compliance with legal obligations for criminal, civil, accounting, and tax purposes;
  • Bank details.

The data are provided directly by the data subject or collected from third parties (e.g., from the company for which the data subject works).

  1. PURPOSES OF DATA PROCESSING

The processing of personal data will be carried out for the following purposes:

  • Establishment, management, and termination of the contract/order of purchase and any other contractual instrument;
  • Accounting management, tax compliance, payments;
  • Inclusion of data in the customer list and its updating;
  • Carrying out advertising, marketing, or promotional activities (via phone calls, emails, website, social media profiles) including the sending of commercial newsletters, offers, promotions, discounts, and invitations to events or exhibitions;
  • Profiling, through the reading and analysis of purchasing behaviors, using data related to your expenditures and website access data (such as requests for information/quotes) in order to improve the commercial offering and carry out specific promotions of products and commercial offers tailored to your profile and needs, also through market research, as well as to assess customer satisfaction;
  • Compliance with obligations required by laws, regulations, community legislation, certified management systems adopted by SAVIO S.P.A., and the procedures they provide, as well as by provisions issued by public authorities and supervisory and control bodies;
  • Any other necessity related to the contractual relationship even after its conclusion, such as the defense of a right or for legal obligations, including the prevention of contractual fraud.

SAVIO S.P.A. performs a financial check on the solvency of clients and potential clients using services provided by industry operators (e.g., CRIBIS) and reserves the right not to establish the contractual relationship or to terminate it based on the information obtained.

 

  1. LEGAL BASIS FOR THE PROCESSING

The processing of the aforementioned data for the highlighted purposes is based on the following legal grounds:

  • Article 6, paragraph 1, letter b) (processing necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject);
  • Article 6, paragraph 1, letter c) of the GDPR (processing necessary to comply with a legal obligation to which the Data Controller is subject);
  • Article 6, paragraph 1, letter f) of the GDPR (legitimate interest of SAVIO S.P.A. to protect its rights in all contexts and to process the personal data of employees, directors, representatives, or administrators of the client legal entity for the purposes of the conclusion, fulfillment, and execution of the contract signed with the same. In this case, your personal data will only be processed to the extent strictly necessary for the management of the relationship between the Data Controller and the legal entity for which you work);
  • Regarding marketing and profiling activities carried out towards corporate clients (also through the contact details of natural persons), the legal basis is the legitimate interest of SAVIO S.P.A. in carrying out promotional activities pursuant to Article 6, paragraph 1, letter f) of the GDPR and Article 130 of the Privacy Code (Legislative Decree No. 196/2003). You have the right to object to such processing at any time by sending a communication to SAVIO S.P.A. at the contact details provided below.
  • For other types of natural person clients, for marketing activities, the legal basis is the legitimate interest of SAVIO S.P.A. in carrying out promotional activities pursuant to Article 6, paragraph 1, letter f) of the GDPR and Article 130 of the Privacy Code (Legislative Decree No. 196/2003), while for profiling activities, the legal basis is consent pursuant to Article 6, paragraph 1, letter a) of the GDPR. You have the right to object to such processing at any time by sending a communication to SAVIO S.P.A. at the contact details provided below.
  • For potential clients, for marketing and profiling activities, the legal basis is consent pursuant to Article 6, paragraph 1, letter a) of the GDPR and Article 130 of the Privacy Code (Legislative Decree No. 196/2003).

 

  1. NATURE OF DATA PROVISION AND CONSEQUENCES OF REFUSAL

Except in cases where consent is required for the data processing activities outlined above, the provision of personal data is necessary for the establishment of the contractual relationship.

Failure to provide data will result in the inability of the Data Controller to conclude and execute the contract.

  1. PROCESSING METHODS

The processing of all acquired data will be carried out using both paper and electronic tools, in compliance with the provisions regarding personal data protection and, in particular, security measures under Article 32 of GDPR 679/16, observing all precautionary measures that ensure confidentiality and security.

 

  1. DATA RETENTION PERIOD

The data subject to this notice will be processed and stored by the Data Controller and the designated Data Processors, as well as the authorized subjects, in compliance with the principle of proportionality:

  • For the entire duration of the contract and until the expiration of any legal or contractual warranties, subject to further legal obligations and/or requests from the competent authorities;
  • From the termination of the contractual relationship, for a maximum period of 10 years in accordance with the statute of limitations under the civil code;
  • Use of data for marketing purposes (without tracking): 5 years from the last contact, unless the customer has previously revoked consent;
  • Tracking data: 3 years from the last contact;
  • Contact data of potential customers: 3 years from the last contact;
  • For tax compliance: for the entire duration of the contract and for the subsequent 10 years from the end of the fiscal year following the year of reference, to handle tax assessments/disputes;
  • In the event of legal disputes, if necessary to defend or act, or even to assert claims against you or third parties, the Data Controller may retain the personal data deemed reasonably necessary for such purposes and for as long as such a claim can be pursued.
  1. SCOPE OF COMMUNICATION AND DISCLOSURE OF PERSONAL DATA

Your personal data may be disclosed to the following subjects or categories of subjects:

  • Subjects engaged by the Data Controller to carry out activities aimed at the establishment, management, and termination of the contract/sale order/service in the fulfillment of its corporate purpose;
  • Banking institutions;
  • Subjects managing the IT system of SAVIO S.P.A.;
  • Subjects who handle administrative, legal, accounting, and tax compliance for the Data Controller;
  • Subjects handling compliance with the procedures and management systems adopted by the company;
  • Certifying bodies of the management systems adopted by the company;
  • Consultants or suppliers to whom the Data Controller may assign tasks for the performance of certain outsourcing activities;
  • Insurance companies with which the Data Controller has relationships or agreements;
  • Authorities and supervisory and control bodies, as well as public or private entities with public duties;
  • Any other subjects to whom communication is required by current legal and/or contractual regulations.

The recipients listed above may act, in some cases, as independent Data Controllers, or in other cases, as Data Processors appointed by SAVIO S.P.A. in accordance with Article 28 of the GDPR 679/16.

Your personal data will not be subject to dissemination unless required by law, regulation, or community regulations.

No data transfer outside the European Economic Area is foreseen.

Where necessary, SAVIO S.P.A. will comply with the provisions of Chapter V of the GDPR.

All measures will be adopted to ensure the protection of personal data by basing the processing on:

  • A decision of adequacy by the European Commission;
  • The existence of adequate safeguards pursuant to Article 46 of the GDPR;
  • The adoption of binding corporate rules pursuant to Article 47 of the GDPR.

SAVIO S.P.A. uses services and programs, including cloud-based ones, such as Microsoft 365, whose servers and data centers are located within the European Union. For maintenance/diagnostic reasons related to the IT infrastructure and operational requirements of cloud services, as well as for cybersecurity purposes, Microsoft may carry out interventions from locations outside the EU/EEA.

In such cases, the EU-US Data Privacy Framework applies, to which Microsoft adheres, and which was the subject of an adequacy decision by the European Commission on July 10, 2023 (all relevant information is available on the following websites: Microsoft Trust Center; Microsoft Privacy Statement; and EU Data Boundary Transfers).

 

 

  1. RIGHTS RECOGNIZED TO THE DATA SUBJECT

At any time, you can exercise your rights with respect to the Data Controller and the Data Processor in accordance with Chapter III (Articles 12-22) of GDPR 679/16.

In particular, as a data subject, you have:

  • The right to access the personal data stored in paper and/or electronic archives and to the other information provided for in Article 15 of GDPR 679, namely:
    a) the purposes of the processing;
    b) the categories of personal data being processed;
    c) the recipients or categories of recipients to whom personal data have been or will be disclosed, particularly if recipients are in third countries or international organizations;
    d) where possible, the period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
    g) where the data have not been collected from third parties, all available information about their origin.
  • The right to obtain the rectification of inaccurate personal data without undue delay. Considering the purposes of the processing, you also have the right to complete incomplete personal data, potentially by providing a supplementary statement (Article 16 GDPR 679/16);
  • The right to obtain the erasure of personal data relating to you without undue delay if one of the reasons set out in Article 17, paragraph 1 of GDPR 679/16 applies;
  • The right to object to the processing and/or obtain the restriction of processing when one of the cases referred to in Article 18, paragraph 1 of GDPR 679/16 applies and the right to withdraw consent, where such consent is required;
  • The right to lodge a complaint with a supervisory authority, in Italy the Garante per la Protezione dei Dati Personali, following the procedures outlined on the official website www.garanteprivacy.it;
  • The right to data portability within the limits and under the conditions provided in Article 20 of GDPR 679/16;
  • The right to object at any time, for reasons related to your particular situation, to the processing of personal data within the limits and conditions provided by Article 21 of GDPR 679/2016;
  • The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects your person (Article 22 GDPR 679/16). Exceptions include decisions necessary for the conclusion or performance of a contract between you and the data controller; decisions authorized by European Union or Member State law to which the Data Controller is subject (Italy in this specific case); and decisions based on the explicit consent of the data subject.

The rights summarized above are exercised by submitting a request to the Data Controller, including through an authorized representative, to which a suitable response will be provided without undue delay. The request to the Data Controller, even through an authorized subject, must be submitted by registered letter or electronic mail, including certified email.

If the request is received via email, the recipient will immediately provide confirmation of receipt and acknowledgment of the request.

It is important to note that the above rights may be subject to limitations under Article 23 of GDPR 679/16 and Article 2 duodecies of the Privacy Code (Legislative Decree No. 196/2003) for judicial reasons (which include the judicial handling of business matters and disputes). In such cases, you may still exercise your rights through the Garante for the protection of personal data using the procedures set out in Article 160 of the Privacy Code.

10.CONTACTS
You can exercise the rights described above, as well as withdraw your consent to the processing of your data in the cases specified in this notice, by writing to the company SAVIO S.P.A. with its registered office at Via Torino Strada Statale 25 n. 25 – 10050 CHIUSA DI SAN MICHELE (TO), or by sending an email to privacy@savio.it or a certified email (PEC) to hope57@legalmail.it.

Latest update: January 2025