This personal data protection policy governs users’ access and use of the services offered by this website, as data subjects who own personal data that are likely to require protection, pursuant to EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and in accordance with applicable data protection legislation.
The Data controller
is the company Ivoplast s.r.l., tax code /VAT no. 00378930283, Via Commerciale no. 60 – postcode 35010 – Villa del Conte- Fraz. Abbazia Pisani (Padua), e-mail email@example.com.
In line with its mission and values, Ivoplast s.r.l. undertakes to protect the personal data of everyone, respecting the identity and dignity of all human beings and the fundamental freedoms that are constitutionally guaranteed, pursuant to EU Reg. 2016/679 (“EU Reg.”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“Personal Data”).
Personal Data protection is based on compliance with the principles outlined in this document, which the Data Controller undertakes to share and respect, as well as ensuring they are respected by its shareholders, employees, associates and recipients or by any third parties it works with as part of its activities and mission.
The Data Controller is committed to ensuring that its Personal Data Protection policy, and everything it involves, is understood, implemented and supported by all internal and external individuals who are involved in the company’s activities, taking into account its practical reality, investment capability and, above all, its values.
In particular, Ivoplast s.r.l. is committed to:
- disclosing and disseminating its personal data protection policy;
- listening and paying attention to all its stakeholders – shareholders, employees, associates, investors, promoters, beneficiaries, customers, suppliers, consultants – taking into consideration their requests regarding personal data protection and promptly replying to them;
- processing personal data: in a lawful, correct and transparent way, in line with constitutional principles and pursuant to applicable legislation in this regard, in particular the new EU Reg., and only for the amount of time that is strictly necessary for the stated purposes, including those necessary to fulfil legal obligations;
- only collecting personal data that are strictly necessary to carry out its activities (pertinent and limited personal data);
- processing personal data in accordance with the principles of transparency, solely for the specific and express purposes stated in its privacy policies;
- adopting processes to update and rectify the personal data processed in order to ensure that all personal data are correct and up to date, to the extent possible;
- using the best preservation techniques available to store and protect the personal data in its possession, also through service contracts with providers able to provide sufficient guarantees regarding the security of processing and ensure that data subjects’ rights are protected;
- ensuring that personal data protection measures are continuously updated. This commitment shall be pursued on an ongoing basis as part of the company’s accountability principle; in this regard, it consistently implements appropriate technical and organisational measures and suitable company policies to ensure it is able to prove that data are processed in accordance with the EU Reg., taking into account the state of the art, the nature of the personal data stored and the risks to which they are exposed;
- ensuring the methods used to process and store Personal Data are clear, transparent and relevant, in order to ensure an appropriate level of security;
- providing training and information to its shareholders and employees, depending on the jobs they carry out, regarding the principles of lawfulness and correctness with which this Personal Data Protection Policy and the processing of personal data must comply, in addition to compliance with the protection measures adopted;
- fostering the development of a sense of accountability and raising awareness among the entire organisation with regard to personal data, ensuring they are seen as data belonging to each individual data subject;
- ensuring compliance with legislative and regulatory provisions applicable to personal data protection, updating how personal data protection is managed where necessary;
- preventing and minimising the impact of potential violations or unlawful and/or harmful processing of personal data, in line with the company’s available resources;
- encouraging personal data protection to be included in the ongoing improvement plan that the organisation pursues with its in-house management systems;
- All members of staff, shareholders and collaborators shall be made aware of this Personal Data Protection Policy, also through specific awareness-raising meetings.
What is the purpose of this policy and who is it addressed to?
This policy is addressed to users of the website www.ivoplast.com (“Website”) and to all natural persons whose personal data are processed by the Data Controller as part of the latter’s company activities (“Addressees” or “Users”).
Users may have to insert some of their Personal Data in order to access certain sections of the Website and/or to send any requests for information or services; said Personal Data shall be processed in accordance with the EU Reg.
In order for Users to receive specific services, specific privacy policies shall be provided on a case-by-case basis and, where necessary, specific consent shall be collected for the processing of their personal data.
The term ‘personal data’ is defined by article 4, point 1), of the EU Reg., as follows: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (“Personal Data”).
The EU Reg. defines the processing of Personal Data as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (“Processing”). Before processing Personal Data, the EU Reg. states that it is necessary for the data subject to be informed about the reasons and purposes of processing, i.e. why his/her data are needed and how they will be used.
Personal Data may be disclosed to specific parties considered to be recipients of said Personal Data. The EU Reg. defines a recipient of Personal Data to be “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.” (hereinafter “Recipients”).
Personal Data may also be disclosed to specific parties considered by the EU Reg. to be “persons who, under the direct authority of the controller or processor, are authorised to process personal data” (hereinafter “Authorised Persons”).
The EU Reg. also states, inter alia: “public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients”.
In this regard, the purpose of this document is to provide Users with all useful and necessary information in a simple and intuitive away, allowing them to provide their Personal Data in a well-informed way and to ask for and obtain clarifications and/or corrections at any time.
Categories of data and processing
As part of their standard operations and only for the duration of the connection, the IT systems and software procedures used to run this portal acquire certain pieces of personal data, which must be transmitted in order to use internet communication protocols. This information is not collected to be associated with specific individuals but could, for its very nature, allow the users to be identified if processed and associated with data held by third parties (e.g. IP addresses, the domain names of the devices used, the requesters’ URI – Uniform Resource Identifier -, the time of the request, etc.). These data are used for the sole purpose of gathering anonymous statistical information on the use of the website and to check that it is working properly, and are immediately cancelled after processing. Web contact data are stored for no longer than seven days, unless there are potential computer crimes that harm the websites. No data deriving from the service shall be disclosed or disseminated.
To find out more, Data Subjects are invited to read the cookies policy.
Contact details provided by the User
Sending Personal Data on an optional, explicit and voluntary basis to access the services and to send requests via e-mail shall mean that the Data Controller subsequently acquires the sender’s e-mail address or any other personal data indicated. Said data shall be processed in order to reply to the request, or to provide the service in question, as well as to carry out all the related activities and to fulfil legal obligations (for example, tax obligations). Failure to provide said data, or providing only partial or inaccurate data, shall make it impossible to use the services requested and, in some cases, to comply with legal requirements.
In order to use the services offered or make a request, it may be necessary to register by filling in a dedicated registration or contact form (“Form”).
Providing the personal data indicated with an asterisk (*) in the aforementioned form is compulsory in order to complete the registration procedure; failure to provide said data, or providing only partial or incorrect data, shall therefore void the registration and will not allow you to use the services in question.
Pursuant to articles 12 and 13 of the EU Reg., the forms on the website may include privacy policies for specific purposes linked to Users visiting those sections of the website.
Data shall be processed both manually and using computerised and telematic tools, in accordance with applicable legislation and the principles of correctness, lawfulness, transparency, relevance, completeness and reasonableness, data minimisation and accuracy; organisation and processing logic shall be strictly linked to the purposes being pursued and, in any case, shall be such as to guarantee the security, integrity and confidentiality of the data being processed, in compliance with the organisational, physical and logical measures provided for by applicable legislation. These measures shall be implemented and increased on a case-by-case basis, also in relation to technological developments, in order to guarantee the confidentiality, availability and integrity of the data processed.
Purposes and legal basis for processing
Pursuant to Art. 6 of the EU Reg., the legal basis for processing may be defined as: pre-contractual and contractual obligations as part of the performance of a contract; the Data Controller’s legal obligations; the need for the Data Controller to pursue a legitimate interest (e.g. right of defence).
The Data Controller declares that it does not make decisions that are likely to influence the Data Subject, based exclusively on the automated processing of his/her personal data. All the decision-making processes linked to the aforementioned processing purposes involve human intervention.
Who may receive and processes personal data?
- the Data Controller’s employees and/or collaborators whose work contributes to the Data Controller’s activities and who have received suitable instructions on the security and correct use of your personal data.
- third parties who carry out part of the Processing activities and/or connected and instrumental activities on behalf of the Data Controller, such as individuals, companies, associations or professional firms, based in the European Union, that have been appointed to provide the Data Controller with services, also including website maintenance and other assistance and/or consulting. The aforementioned third parties are mainly included in the following categories: (a) parties with whom the Data Controller has signed collaboration and service provision agreements; (b) sector operators; (c) credit institutions involved with providing the services; (d) consultants;
- public authorities or public bodies for the fulfilment of the legal obligations applicable to the Data Controller, and any other public body authorised to request the data, under the circumstances provided for by law.
If required by law or to prevent or repress a potential crime, Personal Data may be disclosed to public bodies or the judicial authority.
It is understood that only data that are necessary to fulfil the specific purposes shall be processed, meaning that any data managed through third parties shall be limited to said specific purposes.
Personal Data shall not be subject to dissemination.
Transferring personal data abroad
Personal Data shall be processed by the Data Controller within the European Union.
If, for technical and/or operational reasons, it becomes necessary to use the services of parties located outside of the European Union, then your Personal Data shall only be transferred for the specific processing activities, in compliance with the provisions of Section V of the EU Reg. All the necessary precautions shall therefore be taken in order to ensure that your Personal Data are fully protected, basing such a transfer on: (i) the European Commission’s decisions on the suitability of the third country in question (ii) adequate guarantees provided by the third-party recipient pursuant to Art. 46 of the EU Reg.; (iii) the adoption of binding corporate rules.
Personal Data collected via the “contact form” shall be processed for the minimum amount of time necessary, i.e. until the relative pre-contractual and contractual relationships with the Data Controller come to an end, taking into account the legally required time frames and the physical storage and other storage obligations required by law or by the EU Reg., in relation to which the reasonableness principle shall apply (Art. 6, letter f).
Commercial communications and withdrawal of consent
Should the data be used by the Data Controller to send information relating to the Data Controller’s activities and products, then said communications may be sent via e-mail or over the phone or by sending advertising material to the Data Subject’s home. However, for these purposes, it may be necessary to collect specific consent.
The only consequence of failing to collect consent for this purpose would be the inability to send the commercial communications in question.
Data provided for the aforementioned purposes shall be stored for a reasonable and relevant amount of time, in line with the purposes being pursued and, in any case, until the relative consent is withdrawn. In fact, as stated by the EU Reg., if the Data Subject has provided his/her consent to the Processing of his/her Personal Data for one or more of the purposes for which said consent was required, then he/she may fully and/or partially withdraw this consent at any time, without prejudice to the lawfulness of Processing based on the consent provided before it was withdrawn.
In addition to the above, and to make the process easier, should a Data Subject no longer be interested in the e-mail messages received from the Data Controller, then he/she simply has to click on the ‘unsubscribe’ button at the bottom of the e-mails in order to stop receiving the messages, also through the other contact channels, for which he/she had given his/her consent (SMS, post, fax, telephone calls, social media).
Rights of the data subject and how to exercise them
As stated by Art. 15 of the EU Reg., Data Subjects may access their Personal Data, ask for them to be rectified and updated, if incomplete or incorrect, and ask for them to be erased if they were collected in violation of a law or the EU Reg., as well as to object to Processing for legitimate and specific reasons.
More specifically, the Data Subject may exercise the following rights vis-à-vis the Data Controller, at any time.
Right of access: pursuant to Art. 15, paragraph 1, The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Right to rectification: pursuant to Art. 16 of the EU Reg., The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (right to be forgotten): pursuant to Art. 17, paragraph 1, of the EU Reg., The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
In some cases, as provided for by Article 17(3) of the EU Reg., the Data Controller may be entitled not to erase Personal Data if their Processing is necessary, for example, to fulfil a legal obligation, in the public interest, for archiving purposes in the public interest or for statistical purposes, or for the establishment, exercise or defence of legal claims.
Right to restriction of processing: pursuant to Article 18 of the EU Reg., The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability: pursuant to Article 20(1) of the EU Reg., The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. In this case, the data subject must send us all the exact details of the new data controller to whom he/she intends to transfer his/her Personal Data, providing us with written authorisation to this end.
Right to object: pursuant to Art. 21(2), of the EU Reg., Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
These rights may be exercised by contacting the Data Controller
In order to exercise the rights listed above, the Data Subject may contact the Data Controller by sending an e-mail to: firstname.lastname@example.org.
For any request or necessity, the Data Subject may also write to Ivoplast s.r.l. Via Commerciale no. 60 – Postcode 35010 – Villa del Conte- Fraz. Abbazia Pisani (Padua).
Data subjects may also refer to the “Privacy Section” of the website at any time. This section includes all the information on the Data Controller’s Personal Data Protection policy, how Personal Data are used and processed, up-to-date contact details and the communication channels that the Data Controller makes available to data subjects.
The Data Controller