COMMUNICATIONS AND TRANSPARENT WAYS FOR THE DATA SUBJECT TO
EXERCISE ITS RIGHTS
carefully in compliance with art. 12, 13 and 14 (for personal data not obtained
from the data subject but from other sources) of the European General Data
Protection Regulation (GDPR), as amended, to fully understand why personal data
are collected, how they are used and stored and to whom they are disclosed, in
particular related to:
- Website navigation data;
- Website cookies;
- Processing of client and supplier data
1. ABOUT US
This information is provided by Giordano
Riello International Group S.p.A. (hereinafter also Company) as Data
Controller, holding company of the "Giordano Riello International Group"Group
(hereinafter also Group).
2. SHARING INFORMATION
Each Group company may have a legitimate interest to share
the personal data of its clients and suppliers with other Group companies, also
entering data in centralised databases.
The Company may also transfer the personal data to suppliers
and third parties who perform certain services on its behalf, always in
compliance with data processing agreements and, if required, based on user
consent. The data will only be shared with and made available to those external
service suppliers to the extent required to satisfy the purposes mentioned in
this policy. The categories of external subjects that the Company could use to
perform some of its activities are the following:
companies who provide banking and financial services;
external companies and/or consultants who perform
instrumental activities (management, collection of economic and financial
information, management of IT systems, insurance, management and protection of
external companies and/or consultants for compliance with
laws (firms of accountants, notaries, lawyers and labour consultants);
public bodies (INPS [National Social Insurance Agency],
INAIL [National Institute for Insurance against Accidents at Work], Provincial
Labour Department, Tax Offices, etc.): authorised tax assistance centres;
pension and assistance funds, also private.
3. RIGHTS ESTABLISHED BY LAW
The law guarantees a number of rights with regard to
personal data. The company undertakes to protect personal data and respect the
data privacy laws in force each time. Further information and suggestions on
rights can be obtained from the National Personal Data Protection Authority.
- Right of information – The user has the right to receive
clear, transparent and easily understandable information on how his/her personal
data are being used and on his/her rights. That is why the information in this
policy is being provided.
- Right of access – The user has the right to access his/her
data (if those data are being processed) and other information (similar to what
and verify whether his/her personal data are used in compliance with the data
- Right to rectification – The user has the right to have
information corrected if it is incorrect or incomplete.
- Right of erasure – Also known as the "right to be
forgotten", in simple terms it allows the subject to request the erasure or
removal of data where there is no valid reason to keep on using them. This is
not a general right to erasure; there are exceptions.
- Right to restrict data processing – The user has the right
to ‘block’ or restrict further use of information. When data processing is
restricted, the company may however store the data but may not use them any
more. The company stores lists of people who have requested the "blockage" of
further use of their information to guarantee that said restriction is
respected in the future.
- Right to the portability of data – The user has the right
to obtain and reuse his/her personal data for his/her own purposes in different
services. For example, should he/she decide to move to a new supplier, this
right enables moving, copying or easily transferring data between the IT
systems of the company and their systems securely and in a protected way,
without compromising usability.
- Right to object to processing – The user has the right to
object to processing for direct marketing purposes (only performed with prior
consent) and to processing performed for purposes that protect legitimate
- Right to lodge complaints – The user has the right to
lodge a complaint on how the company processes his/her personal data with the
National Personal Data Protection Authority.
- Right to revoke consent – If the user has consented to any
activity being performed with his/her personal data, he/she has the right to
withdraw that consent at any time (though, in that case, that does not mean
that what was carried out using the personal data with user consent until that
moment was illegal). This includes the right to revoke consent to use personal
data for marketing purposes.
For more information on how to exercise the
rights, please write to: Giordano Riello International Group S.p.a., 904/7 Via
Roma, Bevilacqua – Verona, Italy.
4. WHICH PERSONAL DATA ARE COLLECTED AND HOW ARE THEY USED?
What are personal data?
Personal data are the information that, directly or
indirectly, enables identification of a user as an individual. "Directly"
means, for example, name, surname and address; "indirectly" means when the data
are processed together with other information.
4.1. Navigation Data
During normal operations, the IT systems and software
procedures operating this website acquire certain personal data transmitted
implicitly during the use of Internet communication protocols. This information
is not collected to be associated with identified data subjects, but it may, by
its very nature, through processing and association with data held by third
parties, enable the identification of users. This data category includes IP
addresses or domain names of computers used by users to connect to the website,
URI addresses (Uniform Resource Identifier) of the resources requested, the
time of the request, the method used to submit the request to the server, the
size of the file obtained in response, the numerical code indicating response
status given by the server (successful, error, etc.), time indications of the
start and end of the session and other parameters related to the user’s
operating system and IT environment.
Processing purposes and legal basis
data are only used to obtain anonymous statistics on the use of the website and
to check it is working correctly. The data could also be used to
ascertain responsibility for IT offences against the website (legitimate
interest of the Controller).
Data are normally stored
for short periods of time, except for any extended periods connected to
The data are not provided by the data
subject. They are acquired automatically by the website’s technological
Cookies are small text files that websites visited by users
send to their devices, where they are memorised to be retransmitted to the same
websites at the next visit. Cookies of so-called "third parties" are,
however, set by a website other than the one being visited by the user. That is
because each website can have elements (images, maps, sounds, specific links to
web pages of other domains, etc.) residing on servers other than the one of the
Based on their duration, they are referred to as session
cookies (temporary ones deleted automatically by the device at the end of the
navigation session) and persistent cookies (that is those that remain memorised
on the device until they expire or are deleted by the user).
Cookies are used for different purposes. First of all, they
are used to transmit the communication or to provide the service requested by
the user. More specifically, they enable the optimisation of website
operations, the execution of computer authentications and the prevention of
abuse, they allow to monitor sessions, improve the users’ navigation
experience; for example, by maintaining the connection to reserved areas active
during navigation through website pages with no need to login again with user
id and password and memorising specific information concerning the users
themselves (including preferences, type of browser and computer used).
Cookies can only be read or modified by the website that
generated them. They cannot be used to recall any data from the user’s terminal
and cannot transmit computer viruses. Some cookie functions can also be
refers to cookies and all similar technologies.
This Website may use both session and persistent cookies.
The cookie types generated directly by this Website are "technical" cookies,
- personalise the user interface (e.g. to record
preferences expressed by the user, such as language and product catalogue);
- authenticate and manage a navigation session (for
example, to identify and validate the user to access the Support Area);
This Website does not allow transmission of third-party
cookies to the user’s terminal.
The cookies used by the Website do not require prior user
consent. Access to the website and navigating it imply implicit consent to
receiving the cookies. However, users can also decide not to receive the
cookies, using the specific browser option.
4.3 Processing of client and supplier data
The data are processed to:
Processing purposes and legal basis Administrative and
accounting (contract and legitimate interest).
- finalise contractual/professional agreements;
- fulfil pre-contractual, contractual and fiscal obligations
resulting from existing relations, and manage the communications connected to
- fulfil obligations set forth by law, in a regulation, by
Community regulations or an Authority order;
- exercise a legitimate interest and a right of the
Controller (for example: the right to legal defence, protection of credit
positions, ordinary operational, management and accounting needs).
Storage period Timing compatible with collection purposes.
Providing data Mandatory to come into contact with the
5. LEGAL FOUNDATIONS FOR THE USE OF USER DATA
In most cases, it is in the legitimate interest of the
Company to collect and use personal data, as described in "Which personal data
are collected and how they are used", so as to provide the user with as useful
a service as possible.
Personal data is processed using manual and IT instruments
adopting logics strictly related to the purposes themselves, while guaranteeing
the security and confidentiality of the data themselves.
6. REQUESTS TO THE COMPANY
The Company is legally obliged to follow up on requests and
provide information free of charge, except when the requests are manifestly
unfounded or excessive (especially for their repetitive nature). In that case,
the Company may charge a reasonable fee (considering the administrative costs
needed to supply the information or the communications, or for the action
requested) or refuse to follow up on the request.
Any request for information can be sent to
the email: email@example.com.
We kindly ask that you consider the request responsibly
before sending it. The Company will answer as soon as possible. This usually
happens within one month of receiving the request. If more time should be
needed, the Company will contact and notify the user.
This policy has been in force since 15 June 2018. The
Company reserves the right to amend or simply update its content, in whole or
in part, also because of changes to the applicable laws. The Company kindly
asks the Data Subject to visit this section regularly to see the most recent,
updated version of the Policy and be constantly updated on the Personal Data
collected and on how they are used by the company.
- «Personal data»: any information concerning an identified
or identifiable individual («Data Subject); an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference
to an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person;
- «processing»: any operation or set of operations which is
performed on personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction;
- «process controller»: the natural or legal person, public
authority, agency or other body which, alone or jointly with others, determines
the purposes and means of the processing of personal data; where the purposes
and means of such processing are determined by Union or Member State law, the
controller or the specific criteria for its nomination may be provided for by
Union or Member State law;
- «processor»: a natural or legal person, public authority,
agency or other body which processes personal data on behalf of the controller;
- «recipient»: a natural or legal person, public authority,
agency or another body, to which the personal data are disclosed, whether a
third party or not. However, public authorities which may receive personal data
in the framework of a particular inquiry in accordance with Union or Member
State law shall not be regarded as recipients; the processing of those data by
those public authorities shall be in compliance with the applicable data
protection rules according to the purposes of the processing;
- «third party»: a natural or legal person, public
authority, agency or body other than the data subject, controller, processor
and persons who, under the direct authority of the controller or processor, are
authorised to process personal data;
- «consent of data subject»: any freely given, specific,
informed and unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action, signifies agreement to
the processing of personal data relating to him or her;
- «personal data breach»: a breach of security leading to
the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or otherwise
- «supervisory authority»: an independent public Authority
which is established by a Member State pursuant to Article 51;
- «supervisory authority concerned»: means a supervisory
Authority which is concerned by the processing of personal data because:
controller or processor is established on the territory of the Member State of
that supervisory Authority;
- data subjects residing in the Member State of that
supervisory Authority are substantially affected or likely to be substantially
affected by the processing; or
- a complaint has been lodged with that supervisory