In compliance with the European Regulation (EU) 2016/679 on the protection of personal data (hereinafter referred to as the "GDPR"), the following information is provided in relation to the provision and processing of personal data.
1. DATA CONTROLLER
Pursuant to Articles 4 (7) and 24 of the GDPR, the Data Controller of the processing of your personal data is the OCMIOTG SPA Company, in the person of its legal representative Michele Gusti, VAT number 03690250158, with its registered office in Milan, Via Privata Venezia Giulia n. 7 (hereinafter referred to as "OCMI"), who can be contacted in writing at the email address: (dedicated privacy email address) or by post to the aforementioned address indicated above.
2. LEGAL BASIS AND PURPOSE OF THE DATA PROCESSING
OCMI may process personal data as appropriate:
3. TYPE OF DATA PROCESSED
The data processed by OCMI can include: a) personal data; b) contact data; c) as well as any other data strictly connected with the execution for you of the services offered by OCMI.
It should be noted that OCMI does not require and does not process on its own initiative the 'special categories' of customer data (that is, personal data revealing racial and ethnic origin, religious, philosophical or other beliefs, political opinions, parties, unions, associations or organisations of a religious, philosophical, political or trade union nature, as well as personal data revealing detecting health status and sexual orientation); however, should it be necessary to process such data in order to provide you with the services of OCMI, the latter will ask you expressly and in writing for your consent.
4. DATA PROVISION
The provision of data for the purposes referred to in paragraph 2 a) and b) is required. Any refusal to communicate the data for such purposes, or even the partial or incorrect provision of the same, will make it impossible for OCMI to fulfil its obligations.
On the other hand, the provision of data for the purposes referred to in paragraph 2 c) is optional. You may therefore decide not to provide any data or subsequently to prevent the processing of data already provided. In this case, OCMI will not be able to send you communications and/or commercial/advertising material, including the catalogues illustrating OCMI products and/or those belonging to the Group.
Pursuant to Art. 7(3) of the GDPR, you have the possibility to withdraw your consent at any time.
5. RECIPIENTS AND CATEGORIES OF RECIPIENTS
Personal data will be made accessible under the responsibility of the Data Controller:
The updated list of External Data Processors can always be requested from the Data Controller and is in any case available at the registered office of OCMI.
6. PROCESSING METHODS
The processing of your personal data will be based on principles of correctness, lawfulness, transparency and will be carried out by means of the operations indicated in Art. 4(2) of the GDPR and such as, among other things, collection, recording, organisation, storage, consultation, structuring, adaptation, selection, retrieval, comparison, use, interconnection, restriction, communication, erasure and destruction of data. The personal data is subjected to both paper and electronic and/or automated processing.
The data is kept and monitored by adopting appropriate preventive safety measures aimed at minimising the risks of loss, destruction and unauthorised access, as well as processing that is unauthorised and not in accordance with the purposes for which the consent to its collection was given.
7. DATA TRANSFER
The collected data is stored on servers located in Italy, within the European Union.
Pursuant to Art. 13 (1) (f) of the GDPR, we inform you that the personal data may be transferred to countries outside the EU. In this regard, the Data Controller will ensure from now that all safeguarding measures will be taken to make this transfer secure and to ensure that the processing of personal data complies with the requirements of the GDPR such as, for example, the consent of the Data Subject, the adoption of Standard Clauses approved by the European Commission, the selection of undertakings adhering to international programmes for the free circulation of data (e.g. the EU-USA Privacy Shield) or operating in countries considered safe by the European Commission. On this point, the Data Controller will, at the request of the Data Subject, issue the necessary information (including, where applicable, a copy of all the relevant documentation).
The Data Controller also reserves the right to use cloud services; in this case, the providers of such services will be selected from among those providing appropriate safeguards.
8. RIGHTS OF THE DATA SUBJECT
In compliance with the provisions of the GDPR, the Data Subject has the right, where applicable, to ask the Data Controller for access to the data (Article 15), its correction (Article 16), its erasure (‘right to be forgotten’) (Article 17), restriction of the processing of the personal data (Article 18), the right to data portability (Article 20) or to object to its processing (Article 21), in addition to the right to not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or which significantly affects him or her (Article 22).
Requests may be submitted in writing to the Data Controller at the address of the operational headquarters and at the email address indicated in point 1. The Data Subject also has the right to lodge a complaint with the supervisory authority (Article 77 of the Regulation) if he/she considers that the processing performed by the Data Controller is not in compliance. For more information, you can consult the website of the Italian Data Protection Authority (Garante Privacy) at: https://www.garanteprivacy.it/en/home_en.
9. RETENTION OF DATA
The Data Controller will keep personal data for the time strictly necessary to fulfil the purposes for which it was collected and provided (in accordance with paragraphs 2 and 4 above).
Personal data may be kept for a longer period in compliance with a legal obligation (also of a fiscal nature) or by order of an authority. Subsequently the data will be deleted or rendered inactive.